[Snort-users] where can i find info about events
mkettler at ...4108...
Mon May 10 08:29:08 EDT 2004
At 09:49 AM 5/10/2004, derk van de Velde wrote:
>where can i find info about e.g. attempted information leak"
>how severe is it?
"Attempted information leak" is a class of alerts, not any specific event.
There are dozens of rules in this class, some severe, some not.
If you want some description of a specific alert, enter it's SID into the
rule documentation search that's on www.snort.org.
For example this alert:
[**] [1:1549:11] SMTP HELO overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
xx/xx-xx:55:36.462727 xx.xx.xx.xx:xxxxx -> xx.xx.xx.xx:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:52
***AP*** Seq: 0xxxxxxxxx Ack: 0xxxxxxxxx Win: 0x415B TcpLen: 20
has a SID of 1549. Which I extracted from [1:1549:11]
Note that the first digit must be 1: for it to be a rule. Anything else is
generated by the preprocessors and isn't documented in the rule docs, it's
documented in the docs for the preprocessor itself.
Entering 1549 into the search gets me this:
More information about the Snort-users