Snort mailing list archives
Re: Relation between events and rules set.
From: David Alonso De La Vega Tapage <delavegad () bancoaliado com>
Date: Thu, 24 Apr 2003 15:15:47 -0500
Sueltalo en castellano .. pues habemos un par de habla hispana que también te podemos hechar la mano .. ! claro que de mi parte mis conocimientos son mínimos pero de algo quizas han de servir ..
Julio Jaime wrote:
Hi John, Im sorry, english is not my language and is difficult to me explain it. You have differents set of rules : web-cgi.rules, web-coldfusion.rules, web-frontpage.rules, web-iis.rules, web-misc.rules, x11.rules... etc. The events trigger specific rules ( rules on these set of rules ). Ex : WEB-IIS cmd.exe access ---> on web-iis.rules The only reference to the set of rules on snort alert is the msg header, and is not reliable. ( ex. on web-misc.rules you have msg with WEB-MISC and WEB-PHP... ) If we can to know the set of rules that trigger the events, we can use it to calculate the event severity. "WEB-IIS cmd.exe access" alert is not dangerous on Apache Web Server. It's ok ? Thanks a lot.J.J.-----Mensaje original----- De: John Sage [mailto:jsage () finchhaven com] Enviado el: Miércoles, 23 de Abril de 2003 10:10 p.m. Para: Julio Jaime CC: 'snort-users () lists sourceforge net' Asunto: Re: [Snort-users] Relation between events and rules set. Julio: Let's do a little trimming: On or about Wed, Apr 23, 2003 at 04:47:30PM -0300, Julio Jaime posited:Hi all, We are working on threath management system using snort + logsnorter + syslog servers, but the core is snort.<snip>I need know , how find the relation between the event and the set of rules that trigger it event.Is the question "which specific rule was triggered by a specific event" ie: alert? cd /wherever_your_snort_rules_are/ grep 'insert_phrase_from_alert' * To wit: [**] [1:0:0] TCP inbound to 80 http [**] [Priority: 0] 04/21/03-18:07:00.234228 12.84.131.147:1894 -> 12.82.133.136:80 TCP TTL:120 TOS:0x0 ID:14681 IpLen:20 DgmLen:48 DF ******S* Seq: 0xDEEB0032 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [toot@tweedle /storage/snort]$ grep 'inbound to 80' * tcp191-local.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"TCP inbound to 80 http";) - John------------------------------------------------------------------------ ****** Message from InterScan E-Mail VirusWall NT ****** ** No virus found in attached file noname.htm Este correo ha sido revisado y esta libre de virus. Disclaimer ***************** End of message ***************
Current thread:
- Relation between events and rules set. Julio Jaime (Apr 23)
- Re: Relation between events and rules set. John Sage (Apr 23)
- <Possible follow-ups>
- RE: Relation between events and rules set. Julio Jaime (Apr 24)
- Re: Relation between events and rules set. David Alonso De La Vega Tapage (Apr 24)
- RE: Relation between events and rules set. bmcdowell (Apr 24)
- RE: Relation between events and rules set. Julio Jaime (Apr 24)
- Re: Relation between events and rules set. David Alonso De La Vega Tapage (Apr 24)
- RE: Relation between events and rules set. Julio Jaime (Apr 24)
- RE: Relation between events and rules set. Julio Jaime (Apr 25)
- Re: Relation between events and rules set. David Alonso De La Vega Tapage (Apr 25)