Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 2 subscribers
  • Views 2023 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

wich ips-rule did catch a packet shown in the log?

firebear_01
Hi,
if ips finds any unwanted traffic it logs and do the action wich is configured -- right.
But it logs the things in a way i cant see wich ips-rule has catched it.

2004:08:30-15:57:36  snort[15948]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY  {PROTO006} 192.168.250.24:2895 -> 193.254.186.33:80

2004:08:30-15:24:09  snort[15948]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER  {PROTO006} 192.168.250.24:2760 -> 65.200.140.21:80

2004:08:30-15:01:11  snort[15948]: [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING  {PROTO006} 192.168.250.24:2573 -> 66.102.11.104:80

How can i say on this alerts wich rule has catched it ?? Is there a system within, maybe in this   [119:7:1]  ??

thanks
firebear


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to firebear_01
    You can see the rule's ID as the second number in the [x.y.z] field of the message (y is the number you are looking for). This is the same ID as in "Intrusion Protection/Rules". You can also search for the alert message text. Check the "Filters" menu in "Intrusion Protection/Rules".

    Regards,
    Stephan
  • 0 in reply to Stephan_Scholz
    Hi Stephan,
    thanks for your answer. Could you please explain what the x and the z numbers are for.

    thanks
    firebear
  • 0 in reply to firebear_01
    The other two numbers are mainly system-internal information. Here's the explanation:
    [x, y, z]

    x = internal identifier for generator of alert (1=snort engine, i.e. generated by normal rule; 119=http_inspect preprocessor, 106=spp_rpc_decode preprocessor,..)
    y = ID of matching rule
    z = usually contains the internal revision of the rule, i.e. the version number. Currently this information is not logged, so this is displayed as 0 for all rules.

    Regards,
    Stephan
  • 0 in reply to Stephan_Scholz
    Hi Stephan_Scholz,
    is it possible to get a list of all or is there any ressource in the net where to get ?

    thanks for your answers
    firebear
  • 0 in reply to firebear_01
    Unfortunately there is no web site listing the different "generators" -> until now, because I retrieved the info for you from the source code, and you can read it here on www.astaro.org :-)

    1=snort engine, i.e. generated by normal rule
    2=tag
    100=portscan detection preprocessor
    101=minfrag preprocessor
    102=http_decode preprocessor
    103=defrag preprocessor
    104=spade preprocessor
    105=back orifice preprocessor
    106=RPC decode preprocessor
    107=stream2 preprocessor
    108=stream3 preprocessor
    109=telnet decode preprocessor
    110=unicode preprocessor
    111=stream4 preprocessor
    112=arpspoof preprocessor
    113=frag2 preprocessor
    114=fnord preprocessor
    115=ASN.1 preprocessor
    116=snort decoder preprocessor (includes general sanity checks)
    117=scan2 preprocessor
    118=conv preprocessor
    119=http_inspect preprocessor client
    120=http_inspect preprocessor server
    121=flow_portscan detection preprocessor

    Regards,
    Stephan
  • 0 in reply to Stephan_Scholz
    These seem to be documented by the snort people.  
    I asked Google 
    The first link contains most of the info, but is missing the last few.
    Seems like it's not easy to find online though, Google only finds it if you know exactly what to look for.

    Barry
  • 0 in reply to Stephan_Scholz
    cool thanks a lot to stephan_scholz

    firebear