AW: [Snort-users] barnyard & snort options

mail mail at ...9672...
Sun Jul 20 02:36:06 EDT 2003


> i use barnyard with
> /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort -g
> /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -f snort.log -w
> /var/log/snort/waldo
> and
> config daemon
> config hostname: spawn
> config interface: ppp0
> config filter: none
> processor dp_alert
> processor dp_log
> processor dp_stream_stat
> output log_dump
> 
> for test purposes i started snort with D, Dd, De and DX and get by all
> options the same log
> 
> [**] [1:1122:4] WEB-MISC /etc/passwd [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> Event ID: 2     Event Reference: 2
> 07/17/03-19:42:59.702279 192.168.63.3:4864 -> x.x.x.x:80
> TCP TTL:128 TOS:0x0 ID:41229 IpLen:20 DgmLen:420 DF
> ***AP*** Seq: 0x55C7FD49  Ack: 0x879C2314  Win: 0x4230  TcpLen: 20
> 47 45 54 20 2F 2E 2E 2F 2E 2E 2F 65 74 63 2F 70  GET /../../etc/p
> 61 73 73 77 64 20 48 54 54 50 2F 31 2E 31 0D 0A  asswd HTTP/1.1..
> 41 63 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69  Accept: image/gi
> 66 2C 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D  f, image/x-xbitm
> 61 70 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20  ap, image/jpeg,
> 69 6D 61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70  image/pjpeg, app
> 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D  lication/vnd.ms-
> 70 6F 77 65 72 70 6F 69 6E 74 2C 20 61 70 70 6C  powerpoint, appl
> 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65  ication/vnd.ms-e
> 78 63 65 6C 2C 20 61 70 70 6C 69 63 61 74 69 6F  xcel, applicatio
> 6E 2F 6D 73 77 6F 72 64 2C 20 61 70 70 6C 69 63  n/msword, applic
> 61 74 69 6F 6E 2F 78 2D 73 68 6F 63 6B 77 61 76  ation/x-shockwav
> 65 2D 66 6C 61 73 68 2C 20 2A 2F 2A 0D 0A 41 63  e-flash, */*..Ac
> 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 64  cept-Language: d
> 65 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69  e..Accept-Encodi
> 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74  ng: gzip, deflat
> 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D  e..User-Agent: M
> 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70  ozilla/4.0 (comp
> 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 35  atible; MSIE 5.5
> 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 30  ; Windows NT 5.0
> 3B 20 54 33 31 32 34 36 31 29 0D 0A 48 6F 73 74  ; T312461)..Host
> 3A 20 77 77 77 2E 70 65 72 69 73 65 63 2E 64 65  : www.xxxxxxx.de
> 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65  ..Connection: Ke
> 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A              ep-Alive....
> 
> make this sense? 3 different options and the same output

thx for help
jo




More information about the Snort-users mailing list