[Snort-users] finding which rule

Richard Smollett yawningdogge at ...11827...
Thu Jul 24 15:52:50 EDT 2014


I use pulledpork.


On Thu, Jul 24, 2014 at 3:50 PM, Y M <snort at ...15979...> wrote:

> Date: Thu, 24 Jul 2014 15:44:24 -0400
> From: yawningdogge at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] finding which rule
>
>
> My preprocessor.rules file is blank
>
> How did you copy/install your rules?
>
>
> On Thu, Jul 24, 2014 at 3:24 PM, Y M <snort at ...15979...> wrote:
>
>  Date: Thu, 24 Jul 2014 15:02:34 -0400
> From: yawningdogge at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] finding which rule
>
> I'm getting a lot of alerts that look like this.
>
> [**] [129:20:1] Snort Alert [129:20:1] [**] [Classification: Potentially
> Bad Traffic] [Priority: 2] 07/24-14:15:35.196146 172.28.61.104:22 -> 172.
> 28.61.88:20309 TCP TTL:64 TOS:0x10 ID:59076 IpLen:20 DgmLen:104 DF ***AP***
> Seq: 0x8055FA2A Ack: 0x450C8A09 Win: 0x545 TcpLen: 20
>
> How do I go about finding the rule that generated this alert?
>
> The "[129:20:1]" stands for [GID:SID:REV]. GID with value 129 is generated
> by the Stream5 preprocessor (http://manual.snort.org/node18.html), and
> the alert sid is 2. You can go with something similar to (assuming you are
> running *nix):
>
> grep "sid: 2; gid: 129" /your/pathto/preproc_rules/preprocessor.rules.
> Though you may not get the exact content match upon which this signature is
> matching but it has references to CVE/Bugtraq. In general, the alert
> warns about existing payload on a SYN packet, which may be categorized as
> unusual behavior; ie., sending data on the initial SYN. You need to
> investigate to determine if it is legit or not.
>
> The reason your alert is  showing as "Snort Alert" instead of the actual
> signature message is that the sid-msg.map is not updated with the specific
> signature information.
>
> YM
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck Code
> Sight - the same software that powers the world's largest code search on
> Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck Code
> Sight - the same software that powers the world's largest code search on
> Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140724/5f8dec06/attachment.html>


More information about the Snort-users mailing list