[Snort-users] where can i find info about events

Matt Kettler mkettler at ...4108...
Mon May 10 08:29:08 EDT 2004


At 09:49 AM 5/10/2004, derk van de Velde wrote:
>hi,
>
>where can i find info about e.g.  attempted information leak"
>how severe is it?
>im new
>regards,
>derk

"Attempted information leak" is a class of alerts, not any specific event. 
There are dozens of rules in this class, some severe, some not.

If you want some description of a specific alert, enter it's SID into the 
rule documentation search that's on www.snort.org.

For example this alert:

[**] [1:1549:11] SMTP HELO overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
xx/xx-xx:55:36.462727 xx.xx.xx.xx:xxxxx -> xx.xx.xx.xx:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:52
***AP*** Seq: 0xxxxxxxxx  Ack: 0xxxxxxxxx  Win: 0x415B  TcpLen: 20

has a SID of 1549. Which I extracted from [1:1549:11]

Note that the first digit must be 1: for it to be a rule. Anything else is 
generated by the preprocessors and isn't documented in the rule docs, it's 
documented in the docs for the preprocessor itself.

Entering 1549 into the search gets me this:

http://www.snort.org/snort-db/sid.html?sid=1549





More information about the Snort-users mailing list