Snort mailing list archives
Re: newbq: snort working, getting hits, got sig id's. What now?
From: Y M <snort () outlook com>
Date: Sun, 2 Dec 2012 11:47:31 +0000
It depends on the alerts you may get, for example: 1. If get an alert for a malware, say ZeroAccess Trojan outbound connectin, in this case you want to: a. identify the infected host in your network, find the proper tools to remove the Trojan. b. identify how the Trojan got in and how to prevent it from happing again, that could be in the firewall, or finding a better AV.2. If you get an attemped web application attack (cmd.exe access) attempts, you may want to check the reference url from the rule, in this case you will have a Microsoft KB or security bulletin, identify the affected systems from their and compare to your environment. You may block the offending IP address if you see repeated attempts from the same. There is a whole lot to do than that, you need to define your response methodology, and over time, you will be able to cover much of the alerts you get. Hope this helps.YM From: ThomisonL () muni org To: snort-users () lists sourceforge net Date: Thu, 29 Nov 2012 14:29:43 -0900 Subject: [Snort-users] newbq: snort working, getting hits, got sig id's. What now? Pardon the newbie question, but… I’ve got snort up and running (via security onion 12.04), got latest vrt rules, etc. Let it run overnight and now I’ve got hits (surprise, surprise). I’ve got sig id’s for the first couple of high event count hits I want to look at, but what now? Where do I go next or what do I do next to decide whether I have a problem or not? Here’s the two sigs I want to use as trainers for myself: SIG ID 2102649 GPL SQL service_name buffer overflow attempt 2102650 GPL SQL user name buffer overflow attempt Where do I go to get more information on a sig id? Now, in this case, the source ip is an old control systems box sending data to a couple of oracle databases. The source and dest IP’s correspond with the ‘right’ boxes. So I suspect that this is simply a result of the vendor or oracle (or both) being sloppy. But how do I confirm (or not) ? FWIW googling showed lots of info on how to write rules, but nothing on what to do after a hit. Thanks! ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: TUNE You got it built. Now make it sing. Tune shows you how. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- newbq: snort working, getting hits, got sig id's. What now? Thomison, Lee (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Jefferson, Shawn (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? John York (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Tony Robinson (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? waldo kitty (Dec 01)
- Re: newbq: snort working, getting hits, got sig id's. What now? John York (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Jefferson, Shawn (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Y M (Dec 02)
- Re: newbq: snort working, getting hits, got sig id's. What now? Giles Coochey (Dec 04)