[Snort-users] Relation between events and rules set.
jsage at ...2022...
Wed Apr 23 18:16:02 EDT 2003
Let's do a little trimming:
On or about Wed, Apr 23, 2003 at 04:47:30PM -0300, Julio Jaime posited:
> Hi all,
> We are working on threath management system using snort +
> logsnorter + syslog servers, but the core is snort.
> I need know , how find the relation between the event and the
> set of rules that trigger it event.
Is the question "which specific rule was triggered by a specific
event" ie: alert?
grep 'insert_phrase_from_alert' *
[**] [1:0:0] TCP inbound to 80 http [**]
04/21/03-18:07:00.234228 188.8.131.52:1894 -> 184.108.40.206:80
TCP TTL:120 TOS:0x0 ID:14681 IpLen:20 DgmLen:48 DF
******S* Seq: 0xDEEB0032 Ack: 0x0 Win: 0x2238 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
[toot at ...8592... /storage/snort]$ grep 'inbound to 80' *
tcp191-local.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80
(msg:"TCP inbound to 80 http";)
"You are in a twisty maze of weblogs, all alike."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the Snort-users