[Snort-users] HOW TO DECODE SNORT MESSAGES

Eric Hines eric.hines at ...8860...
Wed Nov 29 08:57:31 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suresh,

Those look like alerts for custom Snort signatures (Added by AS)?
I assume then that you are not the administrator of the Snort IDS
sensors. You need to speak to whomever wrote those signatures and see
what the signatures detect on.

Looks like they were made for suspect port 80 traffic to 219.139.108.138?

What do you mean in your question, a way to decode the below messages?
Based on what I think you're asking:

1) Get the Snort rule. You'll want to locate the rules for the
sj-ids-int01 sensor, find the rule the custom rule thats triggering that
alert (probably in local.rules)


2) Get the packet that triggered it. Are you guys using any sort of
Snort monitoring tool or are you guys just sending Snort to syslog? As
you can see, the Syslog alerts don't contain the packet dump.

HTH.



Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 221
Crystal Lake, IL 60014
Toll Free: (877) 262-7593
Fax: (847) 854-5106
Cell: (847) 456-6785
Web: www.appliedwatch.com



suresh wrote:
> Hi,
> 
>  
> 
> Is there any way on the internet to decode the below messages?
> 
>  
> 
> v 29 08:55:58 HOME-sj-ids-int01 snort[6321]: [1:0:1] outbound port 80
> investigation - Added by AS {TCP} 192.168.203.131:1878 -> 219.139.108.138:80
> 
> Nov 29 08:55:58 HOME-sj-ids-int01 last message repeated 3 times
> 
> Nov 29 08:55:58 HOME-sj-ids-int01 snort[6321]: [122:19:0] (portscan) UDP
> Portsweep {PROTO255} 66.114.175.16 -> 192.168.252.129
> 
> Nov 29 08:55:58 HOME-sj-ids-int01 snort[6321]: [1:0:1] outbound port 80
> investigation - Added by AS {TCP} 192.168.203.131:1949 -> 219.139.108.138:80
> 
> Nov 29 08:55:58 HOME-sj-ids-int01 snort[6321]: [1:0:1] outbound port 80
> investigation - Added by AS {TCP} 192.168.203.131:1949 -> 219.139.108.138:80
> 
> Nov 29 08:55:58 HOME-sj-ids-int01 snort[6321]: [1:0:1] outbound port 80
> investigation - Added by AS {TCP} 192.168.203.131:1878 -> 219.139.108.138:80
> 
> Nov 29 08:55:58 HOME-sj-ids-int01 snort[6321]: [1:0:1] outbound port 80
> investigation - Added by AS {TCP} 192.168.203.131:1878 -> 219.139.108.138:80
> 
> Nov 29 08:55:58 HOME-sj-ids-int01 snort[6321]: [1:0:1] outbound port 80
> investigation - Added by AS {TCP} 192.168.203.131:1949 -> 219.139.108.138:80
> 
> Nov 29 08:55:58 HOME-sj-ids-int01 last message repeated 3 times
> 
> Nov 29 08:55:59 HOME-sj-ids-int01 snort[6321]: [1:0:1] outbound port 80
> investigation - Added by AS {TCP} 192.168.203.131:1878 -> 219.139.108.138:80
> 
> Nov 29 08:55:59 HOME-sj-ids-int01 snort[6321]: [1:0:1] outbound port 80
> investigation - Added by AS {TCP} 192.168.203.131:1878 -> 219.139.108.138:80
> 
> Nov 29 08:55:59 HOME-sj-
> 
>  
> 
>  
> 
> Suresh
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFbZHL1va6QYTV0EMRAkREAJwPTfODAkSyMyRng0I5iKtZT3znlwCfR5E0
aUjH+ewZBvVTADmBC8hsOUo=
=DWFd
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list