| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] Strange Alert
From: Nigel Houghton <nhoughton_at_nospam>Date: Wed Feb 10 2010 - 13:28:52 GMT
To: Jens Link <jenslink@gmx.de>
On Wed, Feb 10, 2010 at 7:06 AM, Jens Link <jenslink@gmx.de> wrote:
> Hi,
>
> I have a snort (2.8.5.2) setup here using barnyard (2.1.7) and base
> (1.4.4). Everything works as expected except for one alert which shows
> up on base:
>
> [snort] Snort Alert [133:34:0] unclassified
>
> I greped /etc/snort and the source and didn't find anything. Any ideas?
>
> Jens
> --
> -------------------------------------------------------------------------
> | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
> | http://www.quux.de | http://blog.quux.de | jabber: jenslink_at_guug.de |
> -------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
If you look in the gen-msg.map (it's in the distribution, look for it) you will find:
133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
Then if you look in the doc directory (it's in the distribution, look for it) you will find the document that accompanies this event, it is named 133-34.txt. (I thought the gid-sid.txt naming convention might be helpful)
Also, you might want to enable the preprocessor rules, then you might get the classification as well.
Oh, and one more thing, the events, for the fifty-hundred-billionth time, the format is [GID:SID:REV] so the event you have would be GID 133 (look in the gen-msg.map again for the pre-processor that gives the event), SID 34, REVISION 0. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users