On Apr 12, 2:35 pm, jwalterw <[email protected]> wrote:
It occurs to me that my question may have been kind of vague and since
I still need help with this I need to give a bit more information. I
had hoped to have it resolved by now but I'm still not sure on the
best way to do this.
Snort alert:
04/11-10:33:06.881488 [**] [1:2001855:27] ET USER_AGENTS Fun Web
Products Spyware User Agent (1) [**] [Classification: A Network Trojan
was Detected] [Priority: 1] {TCP} 2001:FFFF:fe50:FFFF:FFFF:b905:FFFF:
179c:64483 -> 2620:0000:1cfe:face:b00c:0000:0000:0009:80
Destination is left intact, I obfuscated the source address.
This is a Facebook user with a possibly malicious user-agent. (I'm as
stunned as you are.)
ipv6 snort "fast" output will have that format for alerts. The source
and destination IPs will always (or seem to always) be in the long-
hand notation with a src or dst port at the end.
This is a pre-processor event (again with bogus src):
04/14-10:49:39.917227 [**] [125:4:1] (ftp_telnet) FTP command
parameters were malformed [**] [Classification: Generic Protocol
Command Decode] [Priority: 3] {TCP} 2001:FFFF:fe50:FFFF:FFFF:b905:FFFF:
179c:34241 -> 2001:04f8:0000:0002:0000:0000:0000:000e:21
Would the best way for me to process these be to copy the decoder for
snort out into my local_decoder.xml, and then copy the snort logic
from the ids rules file?
