Snort alert description - explanation?
notaduck last edited by
Hello, i have installed the snort package and i was wondering if there is a place where i can find an explanation of the different alert description ?
it would deffently be best f there wasa pdf book or somthing i could print ;)
fsansfil last edited by
Well if you are refering to the classtype, these are just pre-defined categories with a priority from 1-4
If you want to know what a specific rule is alerting for, youll have to look at the rule it self. In the GUI, go to your snort interface, select the Rules tab, and browse the categories youll be able to select the rule.
Most rule have a reference part with a URL or a CVE number, that could give you some info on what the rule in looking for.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2;)
See the reference part ?