Snort alert description - explanation?



  • Hello, i have installed the snort package and i was wondering if there is a place where i can find an explanation of the different alert description ?
    it would deffently be best f there wasa pdf book or somthing i could print ;)



  • Hello,

    Well if you are refering to the classtype, these are just pre-defined categories with a priority from 1-4

    http://manual.snort.org/node31.html

    If you want to know what a specific rule is alerting for, youll have to look at the rule it self. In the GUI, go to your snort interface, select the Rules tab, and browse the categories youll be able to select the rule.

    Most rule have a reference part with a URL or a CVE number, that could give you some info on what the rule in looking for.

    Example:
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2;)

    See the reference part ?

    F.


Log in to reply