Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort alert description - explanation?

    IDS/IPS
    2
    2
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      notaduck
      last edited by

      Hello, i have installed the snort package and i was wondering if there is a place where i can find an explanation of the different alert description ?
      it would deffently be best f there wasa pdf book or somthing i could print ;)

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        Hello,

        Well if you are refering to the classtype, these are just pre-defined categories with a priority from 1-4

        http://manual.snort.org/node31.html

        If you want to know what a specific rule is alerting for, youll have to look at the rule it self. In the GUI, go to your snort interface, select the Rules tab, and browse the categories youll be able to select the rule.

        Most rule have a reference part with a URL or a CVE number, that could give you some info on what the rule in looking for.

        Example:
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2;)

        See the reference part ?

        F.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.