[Snort-users] are snortalog thing ok here

jeremy chartier jeremy.chartier at ...953...
Mon May 24 05:15:10 EDT 2004


>hi,
>
>I tried a lot of log analyzers,  but snortalog seams to give most info until
>now?
>  
>
SnortALog seems to be, for me, the best script log analyser but I don't 
want to
modify your choice ;)

>Questions:
>1. soem events have no link, see below why?
>  
>
Link appears exclusively on HTML report. SnortALog needs to use the 
"rules" file
to generate link. If you see it, you can view 1100 reference signatures 
and if you load
all snort signatures, you work with 2500.

If you want to improve this point, I suggest you to generate your own 
"rules" file from
your lastest snort signatures with "-genref" SnortALog option. Also, you 
can adding your own
reference signature (see PDF documentation).

>2. it would be great if from the list (see below) you can via button or link
>go to a summarry of nodes in your network that had this message.
>  
>
Yes, but you can have this result by regarding other report like :
Percentage and number of attacks to one host from any with same method 
<http://jeremy.chartier.free.fr/snortalog/report.html#top>
Percentage and number of attacks from a host to a destination 
<http://jeremy.chartier.free.fr/snortalog/report.html#top>

I hope this will be helpful for you
Jérémy

>The distribution of attack methods
>% No Attack Priority Severity
>41.76 970  SCAN Proxy Port 8080 attempt {tcp}  2 medium
>36.85 856  WEB-IIS %2E-asp access {tcp}  2 medium
>4.86 113  WEB-PHP Advanced Poll popup.php access {tcp}  2 medium
>2.63 61  WEB-PHP PayPal Storefront arbitrary command execution attempt {tcp}
>1 high
>2.45 57  ICMP Large ICMP Packet {icmp}  2 medium
>2.41 56  WEB-CGI redirect access {tcp}  2 medium
>1.85 43  ICMP PING NMAP {icmp}  2 medium
>1.64 38  WEB-MISC weblogic/tomcat .jsp view source attempt {tcp}  1 high
>1.21 28  WEB-MISC /doc/ access {tcp}  2 medium
>0.86 20  RSERVICES rexec username overflow attempt {tcp}  1 high
>0.82 19  RSERVICES rexec password overflow attempt {tcp}  1 high
>0.56 13  WEB-PHP viewtopic.php access {tcp}  1 high
>0.26 6  WEB-IIS view source via translate header {tcp}  2 medium
>0.26 6  WEB-MISC http directory traversal {tcp}  2 medium
>0.22 5  WEB-CGI calendar access {tcp}  2 medium
>0.17 4  WEB-CGI adcycle access {tcp}  2 medium
>0.17 4  WEB-CGI campus access {tcp}  2 medium
>0.17 4  ATTACK-RESPONSES 403 Forbidden {tcp}  2 medium
>0.13 3  WEB-CGI search.cgi access {tcp}  2 medium
>0.09 2  WEB-CGI finger access {tcp}  2 medium
>0.09 2  WEB-MISC RBS ISP /newuser access {tcp}  2 medium
>0.09 2  WEB-FRONTPAGE shtml.exe access {tcp}  2 medium
>0.09 2  WEB-FRONTPAGE _vti_rpc access {tcp}  2 medium
>0.09 2  WEB-FRONTPAGE /_vti_bin/ access {tcp}  2 medium
>0.09 2  MS-SQL probe response overflow attempt {udp}  1 high
>0.09 2  WEB-IIS _vti_inf access {tcp}  2 medium
>0.04 1  WEB-MISC backup access {tcp}  2 medium
>0.04 1  WEB-MISC ICQ Webfront HTTP DOS {tcp}  1 high
>0.04 1  WEB-CGI count.cgi access {tcp}  2 medium
>
>hop it is clear,
>regards,
>
>Derk van de Velde
>
>
>
>
>  
>





More information about the Snort-users mailing list