[Snort-users] Relation between events and rules set.

David Alonso De La Vega Tapage delavegad at ...7768...
Thu Apr 24 13:09:02 EDT 2003


Sueltalo en castellano ..   pues habemos un par de habla hispana que 
también te podemos hechar la mano ..  ! claro que de mi parte mis 
conocimientos son mínimos pero de algo quizas han de servir ..


Julio Jaime wrote:

>Hi John,
>
>       Im sorry, english is not my language and is difficult to me explain
>it.
>
>       You have differents set of rules :
>
>       web-cgi.rules, web-coldfusion.rules, web-frontpage.rules,
>web-iis.rules, web-misc.rules, x11.rules... etc.
>
>       The events trigger specific rules ( rules on these set of rules ).
>
>       Ex : WEB-IIS cmd.exe access ---> on web-iis.rules
>
>       The only reference to the set of rules on snort alert is the msg
>header, and is not reliable. ( ex. on web-misc.rules you have msg with
>WEB-MISC and WEB-PHP... )
>
>        If we can to know the set of rules that trigger the events, we can
>use it to calculate the event severity.
>
>        "WEB-IIS cmd.exe access" alert is not dangerous on Apache Web
>Server.
>
>	 It's ok ?
>
>Thanks a lot.
>
>J.J.           
>
>-----Mensaje original-----
>De: John Sage [mailto:jsage at ...2022...]
>Enviado el: Miércoles, 23 de Abril de 2003 10:10 p.m.
>Para: Julio Jaime
>CC: 'snort-users at lists.sourceforge.net'
>Asunto: Re: [Snort-users] Relation between events and rules set.
>
>
>Julio:
>
>Let's do a little trimming:
>
>On or about Wed, Apr 23, 2003 at 04:47:30PM -0300, Julio Jaime posited:
>  
>
>>Hi all,
>>
>>     We are working on threath management system using snort +
>>logsnorter + syslog servers, but the core is snort.
>>    
>>
>
><snip>
>
>  
>
>>     I need know , how find the relation between the event and the
>>set of rules that trigger it event.
>>           
>>    
>>
>
>Is the question "which specific rule was triggered by a specific
>event" ie: alert?
>
>cd /wherever_your_snort_rules_are/
>grep 'insert_phrase_from_alert' *
>
>To wit:
>
>[**] [1:0:0] TCP inbound to 80 http [**]
>[Priority: 0]
>04/21/03-18:07:00.234228 12.84.131.147:1894 -> 12.82.133.136:80
>TCP TTL:120 TOS:0x0 ID:14681 IpLen:20 DgmLen:48 DF
>******S* Seq: 0xDEEB0032  Ack: 0x0  Win: 0x2238  TcpLen: 28
>TCP Options (4) => MSS: 1460 NOP NOP SackOK
>
>[toot at ...8592... /storage/snort]$ grep 'inbound to 80' *
>tcp191-local.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80
> (msg:"TCP inbound to 80 http";)
>
>
>
>- John
>  
>
>------------------------------------------------------------------------
>
>****** Message from InterScan E-Mail VirusWall NT ******
>
>** No virus found in attached file noname.htm
>
>Este correo ha sido revisado y esta libre de virus. Disclaimer
>*****************     End of message     ***************
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030424/daebad85/attachment.html>


More information about the Snort-users mailing list