Snort mailing list archives
Re: newbq: snort working, getting hits, got sig id's. What now?
From: Giles Coochey <giles () coochey net>
Date: Tue, 04 Dec 2012 13:35:04 +0000
On 29/11/2012 23:29, Thomison, Lee wrote:
If you have security onion running the best way to look at these is with the sguilclient - you can isolate the alerts and get a full TCP conversation transcript (with a right click) or view the connections in Wireshark and/or Network Miner.Pardon the newbie question, but...I've got snort up and running (via security onion 12.04), got latest vrt rules, etc. Let it run overnight and now I've got hits (surprise, surprise). I've got sig id's for the first couple of high event count hits I want to look at, but what now? Where do I go next or what do I do next to decide whether I have a problem or not?Here's the two sigs I want to use as trainers for myself: SIG ID 2102649 GPL SQL service_name buffer overflow attempt 2102650 GPL SQL user name buffer overflow attempt
Your interest is to whether this was a false positive, and attempted attack, or a successful attack.
Use the information provided to find out which of these occurred, sometimes source and destination IPs are enough for you to disregard alerts, but in any case, as you are using security onion, you should have the full packet capture available to you.
-- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles () coochey net
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- newbq: snort working, getting hits, got sig id's. What now? Thomison, Lee (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Jefferson, Shawn (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? John York (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Tony Robinson (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? waldo kitty (Dec 01)
- Re: newbq: snort working, getting hits, got sig id's. What now? John York (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Jefferson, Shawn (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Y M (Dec 02)
- Re: newbq: snort working, getting hits, got sig id's. What now? Giles Coochey (Dec 04)