[Snort-users] newbq: snort working, getting hits, got sig id's. What now?

Y M snort at ...15979...
Sun Dec 2 06:47:31 EST 2012

It depends on the alerts you may get, for example: 1. If get an alert for a malware, say ZeroAccess Trojan outbound connectin, in this case you want to:     a. identify the infected host in your network, find the proper tools to remove the Trojan.     b. identify how the Trojan got in and how to prevent it from happing again, that could be in the firewall, or finding a better AV.2. If you get an attemped web application attack (cmd.exe access) attempts, you may want to check the reference url from the rule, in this case you will have a Microsoft KB or security bulletin, identify the affected systems from their and compare to your environment. You may block the offending IP address if you see repeated attempts from the same. There is a whole lot to do than that, you need to define your response methodology, and over time, you will be able to cover much of the alerts you get. Hope this helps.YM
 From: ThomisonL at ...15885...
To: snort-users at lists.sourceforge.net
Date: Thu, 29 Nov 2012 14:29:43 -0900
Subject: [Snort-users] newbq: snort working, getting hits,	got sig id's.  What now?

Pardon the newbie question, but…


I’ve got snort up and running (via security onion
12.04), got latest vrt rules, etc.  Let it run overnight and now I’ve got
hits (surprise, surprise).  I’ve got sig id’s for the first couple
of high event count hits I want to look at, but what now?  Where do I go next
or what do I do next to decide whether I have a problem or not?


Here’s the two sigs I want to use as trainers for




2102649            GPL SQL service_name buffer overflow

2102650            GPL SQL user name buffer overflow attempt


Where do I go to get more information on a sig id?


Now, in this case, the source ip is an old control systems
box sending data to a couple of oracle databases.  The source and dest IP’s
correspond with the ‘right’ boxes.  So I suspect that this is
simply a result of the vendor or oracle (or both) being sloppy.  But how do I
confirm (or not) ?


FWIW googling showed lots of info on how to write rules, but
nothing on what to do after a hit.





Keep yourself connected to Go Parallel: 
TUNE You got it built. Now make it sing. Tune shows you how.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121202/043331d0/attachment.html>

More information about the Snort-users mailing list