[Snort-users] Newbie Questions

James Sinnamon frodo000 at ...368...
Sun Jul 11 00:23:02 EDT 2004

Dear snorters,

1. Where to find information regarding records in 'alert' log files?

I noticed, by chance, an attempted IIS attack against my apache webserver, 
when I was watching the httpd log files.  (I was advised by someone on 
the debian-firewall mailing list that it looked like an IIS attack.)  

The snort alert file showed two records which closely match the attack:

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
07/10-11:32:45.770453 xxx.xxx.xxx.xxx:2291 -> xxx.xxx.xxx.xxx:80
TCP TTL:120 TOS:0x0 ID:25375 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xACEA38FD  Ack: 0x79BE56AF  Win: 0x4470  TcpLen: 20

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
07/10-11:32:45.861390 xxx.xxx.xxx.xxx:2291 -> xxx.xxx.xxx.xxx:80
TCP TTL:120 TOS:0x0 ID:25376 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xACEA3EB1  Ack: 0x79BE56AF  Win: 0x4470  TcpLen: 20

Where can I find more information about these alerts?  Is there a snort ID
somewhere in these records, or something else which I can use in a query of

I would also like to understand the significance of another other kind
of record:

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
07/11-16:25:57.693323 ->
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1290
***AP*** Seq: 0xEE4A9389  Ack: 0x8D7C522A  Win: 0x3F8E  TcpLen: 20

... from my incomplete understanding, it seems to be originating from 
my own server (, so I am not sure what to make of
it, but if someone could point me towards the documentation I would 
be greatly obliged.

3. No need for alarm, yet?
I have open listening ports for ssh, https, smtp and icmp (ping) as well 
well as http.  I have used all the rules (except a few obviously 
inapplicable ones) supplied with my Debian (testing) package.

When I grep'd the (unzipped) alert.* logs, I only found alerts relating
to 80/http (using 'grep " - > " alert* | grep ":25$" for example), so 
can I assume that no-one out there has so far attempted to attack these 
other ports with any form of attack already known to snort?

4. Rules not necesary for firewall blocked ports?

Can someone confirm: I only need use rules relating to unblocked ports,
so there is no reason to use rules related to, as examples, pop3, imap,
squid and postgresql, until I decide to run these services and unblock 
their listening ports?

Does the use of redundant rules (if they are redundant) incur a 
signficant cost in performance?



James Sinnamon
frodo000 at ...12095... net au 
+61 412 319669, +61 2 95692123
(aka jaymz-.a.t.-bigpond-net-auStralia)

More information about the Snort-users mailing list