Drew Burchett wrote:
I guess if BASE has one fatal flaw, there's no ability to see an IP
conversation that triggered an alert. For example, if you see an ATTACK
RESPONSE 403 FORBIDDEN alert, there's no good way to tell if it was
malicious or if some dummy just typed in the wrong URL.
That's correct in that specific case, as Snort will only generate an
alert for the 403 from the server and will not log packets preceeding
that event. However, if you have rules to look out for dangerous
inbound/request traffic, then you can get details of what was requested
and what the server's response was.
If Snort provides payload information, BASE will use it. You need to
configure Snort to use an 'alert' output plugin, rather than a 'log'
output plugin.
Further to this, if you use FLoP between Snort and the database and use
Snort's 'tag' directive on rules you're interested in, FLoP's
'getpacket' utility can rebuild the original alert plus subsequent
tagged packets into a .pcap file that can be analysed using ethereal or
whatever. I've patched my local installation of BASE to provide the
option to download such a pcap file from the alert viewer. The patch was
submitted to BASE a while back, but they don't seem to have seen fit to
include it just yet.
Drew Burchett
Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
