[Snort-users] newbq: snort working, getting hits, got sig id's. What now?

Giles Coochey giles at ...9346...
Tue Dec 4 08:35:04 EST 2012

On 29/11/2012 23:29, Thomison, Lee wrote:
> Pardon the newbie question, but...
> I've got snort up and running (via security onion 12.04), got latest 
> vrt rules, etc.  Let it run overnight and now I've got hits (surprise, 
> surprise).  I've got sig id's for the first couple of high event count 
> hits I want to look at, but what now? Where do I go next or what do I 
> do next to decide whether I have a problem or not?
> Here's the two sigs I want to use as trainers for myself:
> 2102649            GPL SQL service_name buffer overflow attempt
> 2102650            GPL SQL user name buffer overflow attempt
If you have security onion running the best way to look at these is with 
the sguilclient - you can isolate the alerts and get a full TCP 
conversation transcript (with a right click) or view the connections in 
Wireshark and/or Network Miner.

Your interest is to whether this was a false positive, and attempted 
attack, or a successful attack.

Use the information provided to find out which of these occurred, 
sometimes source and destination IPs are enough for you to disregard 
alerts, but in any case, as you are using security onion, you should 
have the full packet capture available to you.


Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
giles at ...9346...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121204/b3b89326/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4968 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121204/b3b89326/attachment.bin>

More information about the Snort-users mailing list