[Snort-users] Understanding the alert file

James Lay jlay at ...13475...
Tue Aug 11 18:50:42 EDT 2015


On 2015-08-11 03:43 PM, usa ims wrote:
> Snort 2.9.2.2 on RaspberryPi
> I am trying to understand the 'alert' file.
> 
> I am implementing a hearbeat rule so that I can check for lost packets
> while the system is being slammed. Here is the rule:
> 
> alert tcp any any -> any 80 (msg:" Heartbeat"
> content:/testheartbeat123"; classtype:not-suspicious;sid:1;)
> 
> I have a cron job being fired off every minute from a host on the
> EXTERNAL_NET:
> * * * * * perl -MLWP::UserAgent -e
> 'LWP::UserAgent->new()->get("http://example.com/testheartbeat123");'
>> /dev/null 2>&1
> 
> In the alert file, it contains:
> 
> [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**]
> [Classification: Not Suspicious Traffic] [Priority: 3]
> 08/11-15:45:09.182768 192.168.0.99:36310 -> 192.168.24.24:80
> TCP TTL:64 TOS:0x0 ID:56030 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0xAFDDBF49 Ack: 0x0 Win: 0x7210 TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 8611223 0 NOP WS: 6
> 
> [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**]
> [Classification: Not Suspicious Traffic] [Priority: 3]
> 08/11-15:45:09.184943 192.168.0.99:36310 -> 192.168.24.24:80
> TCP TTL:64 TOS:0x0 ID:56031 IpLen:20 DgmLen:52 DF
> ***A**** Seq: 0xAFDDBF4A Ack: 0x4AD89C91 Win: 0x1C9 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 8611223 8328656
> 
> [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**]
> [Classification: Not Suspicious Traffic] [Priority: 3]
> 08/11-15:45:09.975764 192.168.0.99:36310 -> 192.168.24.24:80
> TCP TTL:64 TOS:0x0 ID:56032 IpLen:20 DgmLen:180 DF
> ***AP*** Seq: 0xAFDDBF4A Ack: 0x4AD89C91 Win: 0x1C9 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 8611302 8328656
> 
> [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**]
> [Classification: Not Suspicious Traffic] [Priority: 3]
> 08/11-15:45:09.981515 192.168.0.99:36310 -> 192.168.24.24:80
> TCP TTL:64 TOS:0x0 ID:56033 IpLen:20 DgmLen:52 DF
> ***A**** Seq: 0xAFDDBFCA Ack: 0x4AD89E7D Win: 0x1D9 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 8611303 8328736
> 
> [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**]
> [Classification: Not Suspicious Traffic] [Priority: 3]
> 08/11-15:45:10.019413 192.168.0.99:36310 -> 192.168.24.24:80
> TCP TTL:64 TOS:0x0 ID:56034 IpLen:20 DgmLen:52 DF
> ***A**** Seq: 0xAFDDBFCA Ack: 0x4AD89E7E Win: 0x1D9 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 8611307 8328736
> 
> [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**]
> [Classification: Not Suspicious Traffic] [Priority: 3]
> 08/11-15:45:10.116771 192.168.0.99:36310 -> 192.168.24.24:80
> TCP TTL:64 TOS:0x0 ID:56035 IpLen:20 DgmLen:52 DF
> ***A***F Seq: 0xAFDDBFCA Ack: 0x4AD89E7E Win: 0x1D9 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 8611316 8328736
> 
> [**] [1:1:0] Heartbeat" content:/testheartbeat123 [**]
> [Classification: Not Suspicious Traffic] [Priority: 3]
> 08/11-15:45:10.116771 192.168.0.99:36310 -> 192.168.24.24:80
> TCP TTL:64 TOS:0x0 ID:56035 IpLen:20 DgmLen:52 DF
> ***A***F Seq: 0xAFDDBFCA Ack: 0x4AD89E7E Win: 0x1D9 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 8611316 8328736
> 
> I need help understanding the '***????***'.
> 
> It would be nice to only have one alert sent per minute but I'm
> getting many from the same cron job for that minute. It's going to be
> cumbersome looking through the alert logs looking for lost alerts to
> see if any packets were lost. This rule was taken from Martin's blog.
> Any suggestions, comments, etc.
> 
> usaims
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

Those are "snort style" tcp flags:

https://isc.sans.edu/diary/Wireshark+TCP+Flags/19547
http://manual.snort.org/node463.html

James




More information about the Snort-users mailing list