[Snort-users] Strange Alert

Nigel Houghton nhoughton at ...1935...
Wed Feb 10 08:28:52 EST 2010


On Wed, Feb 10, 2010 at 7:06 AM, Jens Link <jenslink at ...348...> wrote:
> Hi,
>
> I have a snort (2.8.5.2) setup here using barnyard (2.1.7) and base
> (1.4.4). Everything works as expected except for one alert which shows
> up on base:
>
> [snort]    Snort Alert [133:34:0]    unclassified
>
> I greped /etc/snort and the source and didn't find anything. Any ideas?
>
> Jens
> --
> -------------------------------------------------------------------------
> | Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264         |
> | http://www.quux.de | http://blog.quux.de   | jabber: jenslink at ...14772...0... |
> -------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


If you look in the gen-msg.map (it's in the distribution, look for it)
you will find:

133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on
non-last fragment less than maximum negotiated fragment transmit size
for client

Then if you look in the doc directory (it's in the distribution, look
for it) you will find the document that accompanies this event, it is
named 133-34.txt. (I thought the gid-sid.txt naming convention might
be helpful)

Also, you might want to enable the preprocessor rules, then you might
get the classification as well.

Oh, and one more thing, the events, for the fifty-hundred-billionth
time, the format is [GID:SID:REV] so the event you have would be GID
133 (look in the gen-msg.map again for the pre-processor that gives
the event), SID 34, REVISION 0.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list