Daniel, Thanks for your helpful response. I also received a response from Nigel Houghton on the snort users list to tell me how to interpret the codes [119:16:1], [119:15:1], and [119:2:1]. They can be found in /etc/snort/sid-msg.map. As an example, [119:16:1] means:
generator id: 119 or http_inspect snort id : 16 or OVERSIZE CHUNK ENCODING revision: 1 (all revisions are currently 1) to look it up on the snort id database, use the URL: http://www.snort.org/snort-db/sid.html?sid=119-16 On Mon, 27 Sep 2004 07:24 pm, Daniel Pittman wrote: > On 27 Sep 2004, James Sinnamon wrote: > > I haven't yet had much joy from a question, further below, which I sent > > to the Snort mailing list. Can anyone help? Any response would be > > appreciated, even if only to politely say that the question is too stupid > > to warrant a response. > > [...] > > > I have had Snort running since May on a Debian Linux system, but I still > > do not know how to use the information in /var/log/snort/alert*. I bought > > "Snort for Dummies" to kick start myself, but the description of the > > alert records does not correspond to what I find on my system. > > You may well find that the book, being paper and thus prone to getting > outdated, no longer matches up with the version of Snort in Debian. > > Alternately, it may be that Debian in stable is older than the book. :) > > [...] > > > [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] > > 09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80 TCP TTL:63 > > TOS:0x0 ID:57676 IpLen:20 DgmLen:1272 DF ***AP*** Seq: 0xF0F14CE9 Ack: > > 0xF0CED3A Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 175525 > > 948682168 > > <snip/> > > > > ... do the above records contain snort ID's? The closest I can find are: > > [119:16:1], [119:15:1], and [119:2:1]. > > I cannot help you there, I fear. > > > Also, I am not sure which of the port pairs is meant to be the source and > > which is meant to be the destination. Are the above, records of : > > > > 1) attempts to hack into my system (147.16.81.75), or > > 2) attempts by processes on my system to hack into other > > systems (203.26.51.42, 202.139.107.20, 202.139.106.174)? > > The direction of the arrow (->) is a hint, I suspect. :) > > Those are all HTTP based attacks, so the fact that they come from the > 147.* address on a high port and go to your systems on port 80 would > also seem a bit of a hint. > > So, the answer is that they are the source host and port on the left, > then the destination host and port on the right. > > These represent some sort of automatic attack on your system, most > likely. Also, most of the 'attacks' are originating from my own network. These are possibly some quirks with Mozilla Firefox, or else from some downloaded pages. Possibly I don't need ot be too concerned about these. Maybe should try to change the rules to omit these sorts of messges from /var/log/snort/alert So, I have now some better grasp of the basics of Snort. Thanks again, regards, James -- James Sinnamon [EMAIL PROTECTED] net au +61 412 319669, +61 2 95692123
