Snort mailing list archives
Re: are snortalog thing ok here
From: jeremy chartier <jeremy.chartier () free fr>
Date: Mon, 24 May 2004 14:14:28 +0200
SnortALog seems to be, for me, the best script log analyser but I don't want tohi, I tried a lot of log analyzers, but snortalog seams to give most info until now?
modify your choice ;)
Link appears exclusively on HTML report. SnortALog needs to use the "rules" file to generate link. If you see it, you can view 1100 reference signatures and if you loadQuestions: 1. soem events have no link, see below why?
all snort signatures, you work with 2500.If you want to improve this point, I suggest you to generate your own "rules" file from your lastest snort signatures with "-genref" SnortALog option. Also, you can adding your own
reference signature (see PDF documentation).
2. it would be great if from the list (see below) you can via button or link go to a summarry of nodes in your network that had this message.
Yes, but you can have this result by regarding other report like :Percentage and number of attacks to one host from any with same method <http://jeremy.chartier.free.fr/snortalog/report.html#top> Percentage and number of attacks from a host to a destination <http://jeremy.chartier.free.fr/snortalog/report.html#top>
I hope this will be helpful for you Jérémy
The distribution of attack methods
% No Attack Priority Severity
41.76 970 SCAN Proxy Port 8080 attempt {tcp} 2 medium
36.85 856 WEB-IIS %2E-asp access {tcp} 2 medium
4.86 113 WEB-PHP Advanced Poll popup.php access {tcp} 2 medium
2.63 61 WEB-PHP PayPal Storefront arbitrary command execution attempt {tcp}
1 high
2.45 57 ICMP Large ICMP Packet {icmp} 2 medium
2.41 56 WEB-CGI redirect access {tcp} 2 medium
1.85 43 ICMP PING NMAP {icmp} 2 medium
1.64 38 WEB-MISC weblogic/tomcat .jsp view source attempt {tcp} 1 high
1.21 28 WEB-MISC /doc/ access {tcp} 2 medium
0.86 20 RSERVICES rexec username overflow attempt {tcp} 1 high
0.82 19 RSERVICES rexec password overflow attempt {tcp} 1 high
0.56 13 WEB-PHP viewtopic.php access {tcp} 1 high
0.26 6 WEB-IIS view source via translate header {tcp} 2 medium
0.26 6 WEB-MISC http directory traversal {tcp} 2 medium
0.22 5 WEB-CGI calendar access {tcp} 2 medium
0.17 4 WEB-CGI adcycle access {tcp} 2 medium
0.17 4 WEB-CGI campus access {tcp} 2 medium
0.17 4 ATTACK-RESPONSES 403 Forbidden {tcp} 2 medium
0.13 3 WEB-CGI search.cgi access {tcp} 2 medium
0.09 2 WEB-CGI finger access {tcp} 2 medium
0.09 2 WEB-MISC RBS ISP /newuser access {tcp} 2 medium
0.09 2 WEB-FRONTPAGE shtml.exe access {tcp} 2 medium
0.09 2 WEB-FRONTPAGE _vti_rpc access {tcp} 2 medium
0.09 2 WEB-FRONTPAGE /_vti_bin/ access {tcp} 2 medium
0.09 2 MS-SQL probe response overflow attempt {udp} 1 high
0.09 2 WEB-IIS _vti_inf access {tcp} 2 medium
0.04 1 WEB-MISC backup access {tcp} 2 medium
0.04 1 WEB-MISC ICQ Webfront HTTP DOS {tcp} 1 high
0.04 1 WEB-CGI count.cgi access {tcp} 2 medium
hop it is clear,
regards,
Derk van de Velde
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- are snortalog thing ok here derk van de Velde (May 22)
- Re: are snortalog thing ok here Cédric BLIN (May 24)
- Re: are snortalog thing ok here jeremy chartier (May 24)
- RE: are snortalog thing ok here derk van de Velde (May 24)
- Re: are snortalog thing ok here jeremy chartier (May 24)
- RE: are snortalog thing ok here derk van de Velde (May 24)