[Snort-users] Relation between events and rules set.

John Sage jsage at ...2022...
Wed Apr 23 18:16:02 EDT 2003


Julio:

Let's do a little trimming:

On or about Wed, Apr 23, 2003 at 04:47:30PM -0300, Julio Jaime posited:
> Hi all,
> 
>      We are working on threath management system using snort +
> logsnorter + syslog servers, but the core is snort.

<snip>

>      I need know , how find the relation between the event and the
> set of rules that trigger it event.
>            

Is the question "which specific rule was triggered by a specific
event" ie: alert?

cd /wherever_your_snort_rules_are/
grep 'insert_phrase_from_alert' *

To wit:

[**] [1:0:0] TCP inbound to 80 http [**]
[Priority: 0]
04/21/03-18:07:00.234228 12.84.131.147:1894 -> 12.82.133.136:80
TCP TTL:120 TOS:0x0 ID:14681 IpLen:20 DgmLen:48 DF
******S* Seq: 0xDEEB0032  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[toot at ...8592... /storage/snort]$ grep 'inbound to 80' *
tcp191-local.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80
 (msg:"TCP inbound to 80 http";)



- John
-- 
"You are in a twisty maze of weblogs, all alike."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list