Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] How to find Snort ID in /var/log/snort/alert records?

from [James Sinnamon] Network Security [Permanent Link]
Subject: [Snort-users] How to find Snort ID in /var/log/snort/alert records?
Date: Mon, 27 Sep 2004 15:01:20 +1000 
Dear Snort users,

I have had Snort running since May on a Debian
Linux system, but I still do not know how to 
use the information in  /var/log/snort/alert*.
I bought "Snort for Dummies" to kick start 
myself, but the description of the alert records
des not correspond to what I find on my system. 

In particular, I am unable to 
obtain a 'Snort ID' which matches anything at: 

  http://www.snort.org/cgi-bin/done.cgi

(For all I know, my firewalled system, 
running an SMTP server, Mailman, sshd and 
Apache, may well have been hacked into
and totally compromised in this period of time,
and Snort may have changed to output only 
gibberish.)

The content of /var/log/alert now includes (with IP addrs changed):

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80
TCP TTL:63 TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF
***AP*** Seq: 0xF0F14CE9  Ack: 0xF0CED3A  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 175525 948682168

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
09/27-08:39:32.182348 147.16.81.75:33010 -> 203.26.51.42:80
TCP TTL:63 TOS:0x0 ID:25593 IpLen:20 DgmLen:1272 DF
***AP*** Seq: 0xF120D22B  Ack: 0x778B898C  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 176608 939098917

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
09/27-09:11:32.017827 147.16.81.75:33483 -> 202.139.107.20:80
TCP TTL:63 TOS:0x0 ID:28272 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x69DCF1BA  Ack: 0xFBBF7BBA  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 368601 648869733

[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
09/27-09:12:25.912677 147.16.81.75:33488 -> 202.139.106.174:80
TCP TTL:63 TOS:0x0 ID:18618 IpLen:20 DgmLen:620 DF
***AP*** Seq: 0x6CC6FC5C  Ack: 0xCED41371  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 373991 780114678

... do the above records contain snort ID's?  The closest I can find are:
 [119:16:1], [119:15:1], and [119:2:1].

Also, I am not sure which of the port pairs is meant to be the source and 
which is meant to be the destination.  Are the above, records of :

  !)  attempts to hack into my system (147.16.81.75), or
  2) or attempts by processes on my system to hack into other 
       systems (203.26.51.42, 202.139.107.20, 202.139.106.174)?

TIA 

James

-- 
James Sinnamon
frodo000@bigpond net au 
+61 412 319669, +61 2 95692123


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Running Snort in Console Mode, James Edwards
Next by Date:  [Snort-users] confuse with alerts file, maku bex
Previous by Thread:  [Snort-users] SnortSnmp for snort-2.2.0, Glenn Mansfield Keeni
Next by Thread:  Re: [Snort-users] How to find Snort ID in /var/log/snort/alert records?, Nigel Houghton
Indexes:  [Date] [Thread] [Top] [All Lists]