[Dshield] Snort 1.8
peter at borner.org.uk
Fri Oct 12 10:33:25 GMT 2001
Thanks for the link. I've downloaded the tarball, installed and
configured it. However, It still seems to skip over lines in my log file
that appear to be of interest. Maybe I'm just being paranoid. I've run
it with debug switched on and here is a sample of the output...
RSING: [**] [1:970:1] WEB-IIS multiple decode attempt [**]
SKIPPING: [**] [1:970:1] WEB-IIS multiple decode attempt [**]
PARSING: [Classification: Attempted User Privilege Gain] [Priority: 8]
SKIPPING: [Classification: Attempted User Privilege Gain] [Priority: 8]
PARSING: 10/12/01-06:26:03.276599 126.96.36.199:3592 -> 188.8.131.52:80
SKIPPING: 10/12/01-06:26:03.276599 184.108.40.206:3592 -> 220.127.116.11:80
PARSING: TCP TTL:126 TOS:0x0 ID:5441 IpLen:20 DgmLen:157 DF
SKIPPING: TCP TTL:126 TOS:0x0 ID:5441 IpLen:20 DgmLen:157 DF
PARSING: ***AP*** Seq: 0x9C9EB524 Ack: 0x5B237DE0 Win: 0x4470 TcpLen:
SKIPPING: ***AP*** Seq: 0x9C9EB524 Ack: 0x5B237DE0 Win: 0x4470
PARSING: [Xref =>
SKIPPING: [Xref =>
Unfortunately my knowledge of Perl is non existent so I can't look too
closely at the Perl script but it seems to me that the line:
10/12/01-06:26:03.276599 18.104.22.168:3592 -> 22.214.171.124:80
Should trigger the parser.
Any help you can give would be greatly appreciated.
From: Johannes B. Ullrich [mailto:jullrich at euclidian.com]
Sent: 12 October 2001 03:12
To: dshield at dshield.org
Subject: [Dshield] Snort 1.8
-----BEGIN PGP SIGNED MESSAGE-----
Thanks to Eric for reminding me. I posted the snort 1.8 client.
To download it directly:
it is build around the newer perl framework which allows for
ip filtering and a few other gadgets.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2295 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20011012/774a4853/smime.bin
More information about the list