'RE: [Snort-sigs] understanding 'snort sigantures' / 'what triggered an event''

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    RE: [Snort-sigs] understanding 'snort sigantures' / 'what triggered an event'
From:       "McCammon, Keith" <Keith.McCammon () eadvancemed ! com>
Date:       2002-07-16 17:39:10
[Download RAW message or body]

The sigs database on snort.org is a good place to start.  However, it is still \
off-line in the wake of a minor (read: major) system failure.  In its absence, I \
would recommend simply reading the rule that triggered the event and inspecting the \
corresponding packet decode.  If the rule contains links to other vuln databases, you \
should obviously read those as well.  Also try searching Google and the \
snort-users/sigs archives--if it has a high false rate, someone else has probably \
posted in the past.

Having said that, the best person to make the final false pos determination is the \
person running the system (read: you).  View the alert, view the raw packet, check \
the vulnerability, and check your system logs.  Not much you can't figure out if you \
do all of that.  Also not much else that you can do with your day, but...

Cheers

Keith

> -----Original Message-----
> From: fulanito garcia [mailto:fulanitogarcia@netscape.net]
> Sent: Tuesday, July 16, 2002 12:18 PM
> To: snort-sigs@lists.sourceforge.net
> Subject: [Snort-sigs] understanding 'snort sigantures' / 
> 'what triggered
> an event'
> 
> 
> Hi there could anybody let me know a site where I can find 
> some information on how to demystify and (hopefully 
> understand) the snort-signatures so that I can understand 
> what type of traffic triggerd an alert..... whether it was 
> false positive or not etc.
> 
> thanks for your help
> Fulanito
> 
> 
> __________________________________________________________________
> Your favorite stores, helpful shopping tools and great gift 
> ideas. Experience the convenience of buying online with 
> Shop@Netscape! http://shopnow.netscape.com/
> 
> Get your own FREE, personal Netscape Mail account today at 
> http://webmail.netscape.com/
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's 
> fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing
real-time communications platform! Don't just IM. Build it in!
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic