[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: RE: [Snort-sigs] understanding 'snort sigantures' / 'what triggered an event'
From: "McCammon, Keith" <Keith.McCammon () eadvancemed ! com>
Date: 2002-07-16 17:39:10
[Download RAW message or body]
The sigs database on snort.org is a good place to start. However, it is still \
off-line in the wake of a minor (read: major) system failure. In its absence, I \
would recommend simply reading the rule that triggered the event and inspecting the \
corresponding packet decode. If the rule contains links to other vuln databases, you \
should obviously read those as well. Also try searching Google and the \
snort-users/sigs archives--if it has a high false rate, someone else has probably \
posted in the past.
Having said that, the best person to make the final false pos determination is the \
person running the system (read: you). View the alert, view the raw packet, check \
the vulnerability, and check your system logs. Not much you can't figure out if you \
do all of that. Also not much else that you can do with your day, but...
Cheers
Keith
> -----Original Message-----
> From: fulanito garcia [mailto:fulanitogarcia@netscape.net]
> Sent: Tuesday, July 16, 2002 12:18 PM
> To: snort-sigs@lists.sourceforge.net
> Subject: [Snort-sigs] understanding 'snort sigantures' /
> 'what triggered
> an event'
>
>
> Hi there could anybody let me know a site where I can find
> some information on how to demystify and (hopefully
> understand) the snort-signatures so that I can understand
> what type of traffic triggerd an alert..... whether it was
> false positive or not etc.
>
> thanks for your help
> Fulanito
>
>
> __________________________________________________________________
> Your favorite stores, helpful shopping tools and great gift
> ideas. Experience the convenience of buying online with
> Shop@Netscape! http://shopnow.netscape.com/
>
> Get your own FREE, personal Netscape Mail account today at
> http://webmail.netscape.com/
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's
> fastest growing
> real-time communications platform! Don't just IM. Build it in!
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing
real-time communications platform! Don't just IM. Build it in!
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic