[Snort-users] How to find Snort ID in /var/log/snort/alert records?

James Sinnamon frodo000 at ...368...
Sun Sep 26 22:07:15 EDT 2004


Dear Snort users,

I have had Snort running since May on a Debian
Linux system, but I still do not know how to 
use the information in  /var/log/snort/alert*.
I bought "Snort for Dummies" to kick start 
myself, but the description of the alert records
des not correspond to what I find on my system. 

In particular, I am unable to 
obtain a 'Snort ID' which matches anything at: 

  http://www.snort.org/cgi-bin/done.cgi

(For all I know, my firewalled system, 
running an SMTP server, Mailman, sshd and 
Apache, may well have been hacked into
and totally compromised in this period of time,
and Snort may have changed to output only 
gibberish.)

The content of /var/log/alert now includes (with IP addrs changed):

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80
TCP TTL:63 TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF
***AP*** Seq: 0xF0F14CE9  Ack: 0xF0CED3A  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 175525 948682168

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
09/27-08:39:32.182348 147.16.81.75:33010 -> 203.26.51.42:80
TCP TTL:63 TOS:0x0 ID:25593 IpLen:20 DgmLen:1272 DF
***AP*** Seq: 0xF120D22B  Ack: 0x778B898C  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 176608 939098917

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
09/27-09:11:32.017827 147.16.81.75:33483 -> 202.139.107.20:80
TCP TTL:63 TOS:0x0 ID:28272 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x69DCF1BA  Ack: 0xFBBF7BBA  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 368601 648869733

[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
09/27-09:12:25.912677 147.16.81.75:33488 -> 202.139.106.174:80
TCP TTL:63 TOS:0x0 ID:18618 IpLen:20 DgmLen:620 DF
***AP*** Seq: 0x6CC6FC5C  Ack: 0xCED41371  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 373991 780114678

... do the above records contain snort ID's?  The closest I can find are:
 [119:16:1], [119:15:1], and [119:2:1].

Also, I am not sure which of the port pairs is meant to be the source and 
which is meant to be the destination.  Are the above, records of :

  !)  attempts to hack into my system (147.16.81.75), or
  2) or attempts by processes on my system to hack into other 
       systems (203.26.51.42, 202.139.107.20, 202.139.106.174)?

TIA 

James

-- 
James Sinnamon
frodo000 at ...12095... net au 
+61 412 319669, +61 2 95692123




More information about the Snort-users mailing list