[Snort-users] Understanding the alert file

usa ims usaims at ...131...
Tue Aug 11 17:43:33 EDT 2015



Snort 2.9.2.2 on RaspberryPiI am trying to understand the 'alert' file.

I am implementing a hearbeat rule so that I can check for lost packets while the system is being slammed. Here is the rule:
alert tcp any any -> any 80 (msg:" Heartbeat" content:/testheartbeat123"; classtype:not-suspicious;sid:1;)
I have a cron job being fired off every minute from a host on the EXTERNAL_NET:* * * * * perl -MLWP::UserAgent -e 'LWP::UserAgent->new()->get("http://example.com/testheartbeat123");'> /dev/null 2>&1
In the alert file, it contains:
[**] [1:1:0]  Heartbeat" content:/testheartbeat123 [**]
[Classification: Not Suspicious Traffic] [Priority: 3]
08/11-15:45:09.182768 192.168.0.99:36310 -> 192.168.24.24:80
TCP TTL:64 TOS:0x0 ID:56030 IpLen:20 DgmLen:60 DF
******S* Seq: 0xAFDDBF49  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 8611223 0 NOP WS: 6

[**] [1:1:0]  Heartbeat" content:/testheartbeat123 [**]
[Classification: Not Suspicious Traffic] [Priority: 3]
08/11-15:45:09.184943 192.168.0.99:36310 -> 192.168.24.24:80
TCP TTL:64 TOS:0x0 ID:56031 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xAFDDBF4A  Ack: 0x4AD89C91  Win: 0x1C9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 8611223 8328656

[**] [1:1:0]  Heartbeat" content:/testheartbeat123 [**]
[Classification: Not Suspicious Traffic] [Priority: 3]
08/11-15:45:09.975764 192.168.0.99:36310 -> 192.168.24.24:80
TCP TTL:64 TOS:0x0 ID:56032 IpLen:20 DgmLen:180 DF
***AP*** Seq: 0xAFDDBF4A  Ack: 0x4AD89C91  Win: 0x1C9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 8611302 8328656

[**] [1:1:0]  Heartbeat" content:/testheartbeat123 [**]
[Classification: Not Suspicious Traffic] [Priority: 3]
08/11-15:45:09.981515 192.168.0.99:36310 -> 192.168.24.24:80
TCP TTL:64 TOS:0x0 ID:56033 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xAFDDBFCA  Ack: 0x4AD89E7D  Win: 0x1D9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 8611303 8328736

[**] [1:1:0]  Heartbeat" content:/testheartbeat123 [**]
[Classification: Not Suspicious Traffic] [Priority: 3]
08/11-15:45:10.019413 192.168.0.99:36310 -> 192.168.24.24:80
TCP TTL:64 TOS:0x0 ID:56034 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xAFDDBFCA  Ack: 0x4AD89E7E  Win: 0x1D9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 8611307 8328736

[**] [1:1:0]  Heartbeat" content:/testheartbeat123 [**]
[Classification: Not Suspicious Traffic] [Priority: 3]
08/11-15:45:10.116771 192.168.0.99:36310 -> 192.168.24.24:80
TCP TTL:64 TOS:0x0 ID:56035 IpLen:20 DgmLen:52 DF
***A***F Seq: 0xAFDDBFCA  Ack: 0x4AD89E7E  Win: 0x1D9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 8611316 8328736
[**] [1:1:0]  Heartbeat" content:/testheartbeat123 [**]
[Classification: Not Suspicious Traffic] [Priority: 3]
08/11-15:45:10.116771 192.168.0.99:36310 -> 192.168.24.24:80
TCP TTL:64 TOS:0x0 ID:56035 IpLen:20 DgmLen:52 DF
***A***F Seq: 0xAFDDBFCA  Ack: 0x4AD89E7E  Win: 0x1D9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 8611316 8328736
I need help understanding the '***????***'.
It would be nice to only have one alert sent per minute but I'm getting many from the same cron job for that minute. It's going to be cumbersome looking through the alert logs looking for lost alerts to see if any packets were lost. This rule was taken from Martin's blog. Any suggestions, comments, etc.


usaims
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150811/663d596f/attachment.html>


More information about the Snort-users mailing list