Snort mailing list archives
Re: Definitions of snort signatures
From: Chris Green <cmg () uab edu>
Date: Tue, 13 Nov 2001 08:40:57 -0600
"Don Weber" <Don.Weber () iris tamucc edu> writes:
I am doing a research project, analyzing our schools network for attacks, and I am getting good results using snort and snortsnarf. But I have no idea what the signatures mean. Is there any documentation anyplace that explains what each signature means and why the packet was flagged?
A good number of the rules have a references field. This maps to information about the rule. The reason packets are flagged is because they match the rule and the reason the rule was written is often described in the refernces section. SnortSnart parses them and provides links or you can look at sp_reference.h #define BUGTRAQ_URL_HEAD "http://www.securityfocus.com/bid/" #define CVE_URL_HEAD "http://cve.mitre.org/cgi-bin/cvename.cgi?name=" #define ARACHNIDS_URL_HEAD "http://www.whitehats.com/info/IDS" #define MCAFEE_URL_HEAD "http://vil.nai.com/vil/dispVirus.asp?virus_k=" #define URL_HEAD "http://" eg: reference: bugtraq, 1991 -> http://www.securityfocus.com/bid/1991 -- Chris Green <cmg () uab edu> Don't use a big word where a diminutive one will suffice. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Definitions of snort signatures Don Weber (Nov 13)
- Re: Definitions of snort signatures Chris Green (Nov 13)
- <Possible follow-ups>
- Re: Definitions of snort signatures Don Weber (Nov 13)
- Re: Re: [Snort-users] Definitions of snort signatures Chris Green (Nov 13)