[Snort-users] Help with Alerts

Pratik Narang pratik.cse.bits at ...11827...
Sun Sep 9 04:30:06 EDT 2012


---------- Forwarded message ----------
From: Pratik Narang <pratik.cse.bits at ...11827...>
Date: Sun, Sep 9, 2012 at 12:52 PM
Subject: Re: [Snort-users] Help with Alerts
To: Joel Esler <jesler at ...1935...>


Pardon my ignorance, but isn't sid-msg file supposed to contain all
sig ids of the rule pack i downloaded?? What is the difference between
just using snort and using snort with pulled pork?


On 9/8/12, Joel Esler <jesler at ...1935...> wrote:
> Probably want to.
>
> --
> Joel Esler
>
> On Sep 8, 2012, at 8:02 AM, Pratik Narang <pratik.cse.bits at ...11827...>
> wrote:
>
>> nope
>>
>> On Sat, Sep 8, 2012 at 5:23 PM, Joel Esler <jesler at ...1935...> wrote:
>>> If you are using pulledpork, it should generate your Sid-MSG.map for
you.
>>> Are you using pulledpork?
>>>
>>> --
>>> Joel Esler
>>> Sent from my iPad
>>>
>>> On Sep 8, 2012, at 7:21 AM, Pratik Narang <pratik.cse.bits at ...11827...>
>>> wrote:
>>>
>>>> Hi all,
>>>>  Could someone help out why I am not able to identify this alert in any
>>>> of the files?
>>>>
>>>> 09/08-16:25:26.843914  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
>>>> [Classification: Potential Corporate Privacy Violation] [Priority: 1]
>>>> {TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80
>>>> 09/08-16:26:15.505341  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
>>>> [Classification: Potential Corporate Privacy Violation] [Priority: 1]
>>>> {TCP} 172.16.x0.y0:58790 -> 199.47.216.148:80
>>>> 09/08-16:26:22.182389  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
>>>> [Classification: Potential Corporate Privacy Violation] [Priority: 1]
>>>> {TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80
>>>> 09/08-16:27:12.671644  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
>>>> [Classification: Potential Corporate Privacy Violation] [Priority: 1]
>>>> {TCP} 172.16.x0.y0:58790 -> 199.47.216.148:80
>>>> 09/08-16:27:19.259019  [**] [1:18608:6] Snort Alert [1:18608:0] [**]
>>>> [Classification: Potential Corporate Privacy Violation] [Priority: 1]
>>>> {TCP} 172.16.x0.y0:58825 -> 199.47.216.148:80
>>>>
>>>> The sid corresponds to app-detect.rules (Dropbox activity), but i cant
>>>> locate that sid in sid-msg.map. Why so? Am i looking at the wrong
place?
>>>>
>>>>
>>>> Snort version 2.9.3.1
>>>>
>>>> Thanks...
>>>>
------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond.
>>>> Discussions
>>>> will include endpoint security, mobile security and the latest in
>>>> malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120909/0e36b523/attachment.html>


More information about the Snort-users mailing list