Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 2 subscribers
  • Views 2025 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

wich ips-rule did catch a packet shown in the log?

firebear_01
Hi,
if ips finds any unwanted traffic it logs and do the action wich is configured -- right.
But it logs the things in a way i cant see wich ips-rule has catched it.

2004:08:30-15:57:36  snort[15948]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY  {PROTO006} 192.168.250.24:2895 -> 193.254.186.33:80

2004:08:30-15:24:09  snort[15948]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER  {PROTO006} 192.168.250.24:2760 -> 65.200.140.21:80

2004:08:30-15:01:11  snort[15948]: [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING  {PROTO006} 192.168.250.24:2573 -> 66.102.11.104:80

How can i say on this alerts wich rule has catched it ?? Is there a system within, maybe in this   [119:7:1]  ??

thanks
firebear


This thread was automatically locked due to age.
Parents
  • 0
    firebear,

    you won't find specific rules for these alerts. They were generated by the Snort preprocessor http_inspect. You can recognize this by the leading "(http_inspect"). The preprocessor normalizes HTTP traffic, before it is passed to the ruleset, and occasionally logs warnings.

    Regards,
    Stephan
  • 0 in reply to Stephan_Scholz
    Thank you Stephan_Scholz,

    but what is with other traffic is there a list or anything where i can see wich ips.rule catches wich packet ??

    firebear
  • 0 in reply to firebear_01
    You can see the rule's ID as the second number in the [x.y.z] field of the message (y is the number you are looking for). This is the same ID as in "Intrusion Protection/Rules". You can also search for the alert message text. Check the "Filters" menu in "Intrusion Protection/Rules".

    Regards,
    Stephan
  • 0 in reply to Stephan_Scholz
    Hi Stephan,
    thanks for your answer. Could you please explain what the x and the z numbers are for.

    thanks
    firebear
  • 0 in reply to firebear_01
    The other two numbers are mainly system-internal information. Here's the explanation:
    [x, y, z]

    x = internal identifier for generator of alert (1=snort engine, i.e. generated by normal rule; 119=http_inspect preprocessor, 106=spp_rpc_decode preprocessor,..)
    y = ID of matching rule
    z = usually contains the internal revision of the rule, i.e. the version number. Currently this information is not logged, so this is displayed as 0 for all rules.

    Regards,
    Stephan
  • 0 in reply to Stephan_Scholz
    Hi Stephan_Scholz,
    is it possible to get a list of all or is there any ressource in the net where to get ?

    thanks for your answers
    firebear
  • 0 in reply to firebear_01
    Unfortunately there is no web site listing the different "generators" -> until now, because I retrieved the info for you from the source code, and you can read it here on www.astaro.org :-)

    1=snort engine, i.e. generated by normal rule
    2=tag
    100=portscan detection preprocessor
    101=minfrag preprocessor
    102=http_decode preprocessor
    103=defrag preprocessor
    104=spade preprocessor
    105=back orifice preprocessor
    106=RPC decode preprocessor
    107=stream2 preprocessor
    108=stream3 preprocessor
    109=telnet decode preprocessor
    110=unicode preprocessor
    111=stream4 preprocessor
    112=arpspoof preprocessor
    113=frag2 preprocessor
    114=fnord preprocessor
    115=ASN.1 preprocessor
    116=snort decoder preprocessor (includes general sanity checks)
    117=scan2 preprocessor
    118=conv preprocessor
    119=http_inspect preprocessor client
    120=http_inspect preprocessor server
    121=flow_portscan detection preprocessor

    Regards,
    Stephan
Reply
  • 0 in reply to firebear_01
    Unfortunately there is no web site listing the different "generators" -> until now, because I retrieved the info for you from the source code, and you can read it here on www.astaro.org :-)

    1=snort engine, i.e. generated by normal rule
    2=tag
    100=portscan detection preprocessor
    101=minfrag preprocessor
    102=http_decode preprocessor
    103=defrag preprocessor
    104=spade preprocessor
    105=back orifice preprocessor
    106=RPC decode preprocessor
    107=stream2 preprocessor
    108=stream3 preprocessor
    109=telnet decode preprocessor
    110=unicode preprocessor
    111=stream4 preprocessor
    112=arpspoof preprocessor
    113=frag2 preprocessor
    114=fnord preprocessor
    115=ASN.1 preprocessor
    116=snort decoder preprocessor (includes general sanity checks)
    117=scan2 preprocessor
    118=conv preprocessor
    119=http_inspect preprocessor client
    120=http_inspect preprocessor server
    121=flow_portscan detection preprocessor

    Regards,
    Stephan
Children