[Snort-users] Unified Log Format

Mario D. Santana mds at ...13379...
Tue Jun 28 20:40:04 EDT 2005


Martin,

> If you want a comprehensive map of the SIDs (Snort ID's) of GID 1, you should 
> look at the sid-msg.map file in the etc directory of your Snort distribution. 
> SID 527 is a bad-traffic.rules detect for same source/dest IP in a packet. 
> Typically you'll get these listening on loopback...

Ahh!  The sid-msg.map, now I get it.  In fact, this 527 alert is from an 
old log file from an early snort setup of mine.  Maybe I'll get ethereal 
to load up this file and generate the messages from it...

> [...] Typically the log data 
> will be a standard Snort packet, but on aggregate event like a portscan 
> you'll get our crammed packet type that we're overloading the field with.

Right.  I've actually been able to (mostly) decode the sfPorstan packets. 
I'm thinking about teaching ethereal to understand the actual packet 
contents for these.  It seems that these packets use the SLL ("linux 
cooked capture") encapsulation, but with a broken or missing SLL header? 
I've gotten it to work by forcing the encapsulation to ethernet -- then 
the normal ethereal ethernet dissector kicks in and the rest follows.  But 
the reference date is all wacky...

> GIDs 100, 117, 121 and 122 are all various portscan detectors that have been 
> built for Snort over the years, you might just want to skip those records...

Hmm.  Is there any way to get a full list of these "aggregate events" that 
you mention, along with details about the packet they fake up?

Thanks for the tips!  Some of these anomalies are starting to make sense.

Cheers,
mds




More information about the Snort-users mailing list