Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] How to find Snort ID in /var/log/snort/alert records?

from [Nigel Houghton] Network Security [Permanent Link]
Subject: Re: [Snort-users] How to find Snort ID in /var/log/snort/alert records?
Date: Mon, 27 Sep 2004 15:07:36 -0400 
On  0, snort-users-request@lists.sourceforge.net allegedly wrote:


Today's Topics:

   1. How to find Snort ID in /var/log/snort/alert records? (James Sinnamon)
--__--__--

Message: 1
From: James Sinnamon <frodo000@bigpond.net.au>
Reply-To: James Sinnamon <frodo000@bigpond.net.au>
To: snort-users@lists.sourceforge.net
Date: Mon, 27 Sep 2004 15:01:20 +1000
Subject: [Snort-users] How to find Snort ID in /var/log/snort/alert records?

Dear Snort users,

I have had Snort running since May on a Debian
Linux system, but I still do not know how to 
use the information in  /var/log/snort/alert*.
I bought "Snort for Dummies" to kick start 
myself, but the description of the alert records
des not correspond to what I find on my system. 

In particular, I am unable to 
obtain a 'Snort ID' which matches anything at: 

  http://www.snort.org/cgi-bin/done.cgi

(For all I know, my firewalled system, 
running an SMTP server, Mailman, sshd and 
Apache, may well have been hacked into
and totally compromised in this period of time,
and Snort may have changed to output only 
gibberish.)

The content of /var/log/alert now includes (with IP addrs changed):

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80
TCP TTL:63 TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF
***AP*** Seq: 0xF0F14CE9  Ack: 0xF0CED3A  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 175525 948682168

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
09/27-08:39:32.182348 147.16.81.75:33010 -> 203.26.51.42:80
TCP TTL:63 TOS:0x0 ID:25593 IpLen:20 DgmLen:1272 DF
***AP*** Seq: 0xF120D22B  Ack: 0x778B898C  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 176608 939098917

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
09/27-09:11:32.017827 147.16.81.75:33483 -> 202.139.107.20:80
TCP TTL:63 TOS:0x0 ID:28272 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x69DCF1BA  Ack: 0xFBBF7BBA  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 368601 648869733

[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
09/27-09:12:25.912677 147.16.81.75:33488 -> 202.139.106.174:80
TCP TTL:63 TOS:0x0 ID:18618 IpLen:20 DgmLen:620 DF
***AP*** Seq: 0x6CC6FC5C  Ack: 0xCED41371  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 373991 780114678

... do the above records contain snort ID's?  The closest I can find are:
 [119:16:1], [119:15:1], and [119:2:1].


correct, these are in the format [ generator id : snort id : revision ],
this means you have a generator id of 119 and snort ids of 16, 15 and 2 all
of which are revision number 1. Generator id 119 relates to http_inspect,
look in gen-msg.map for all the others. The (http_inspect) in the message
is also a dead giveaway.


Also, I am not sure which of the port pairs is meant to be the source and 
which is meant to be the destination.  Are the above, records of :

  !)  attempts to hack into my system (147.16.81.75), or
  2) or attempts by processes on my system to hack into other 
       systems (203.26.51.42, 202.139.107.20, 202.139.106.174)?



The direction indicator in the event message indicates the events are
coming from 147.16.81.75 and going to the addresses indicated.

More information on the events can be found at:

 http://www.snort.org/snort-db/sid.html?sid=119-16

 http://www.snort.org/snort-db/sid.html?sid=119-15

 http://www.snort.org/snort-db/sid.html?sid=119-2



TIA 

James

-- 
James Sinnamon
frodo000@bigpond net au 
+61 412 319669, +61 2 95692123

 
+-------------------------------------------------------------------------+
   ,,_   Nigel Houghton      Research Engineer       Sourcefire Inc.
  o"  )~               Vulnerability Research Team
   ''''  
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] ACID with multiple Sensors?, Sean Brown
Next by Date:  RE: [Snort-users] Looking for good hub, Hague, Jeff
Previous by Thread:  [Snort-users] How to find Snort ID in /var/log/snort/alert records?, James Sinnamon
Next by Thread:  [Snort-users] confuse with alerts file, maku bex
Indexes:  [Date] [Thread] [Top] [All Lists]