I have recently started using snort, its a great program with some serious functions! I am wondering though how to make sense of the log files and the alert entries, i have had a poke around looking for info regarding the logs but not much to help a snorting newbie out!

anyone know of any good sites regarding snort logfiles, mainly for the NIDS function.

Also can someone decipher this one for me?

[**] [1:1239:5] NETBIOS RFParalyze Attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
10/19-14:48:38.543734 0:48:542:2A:67 -> 0:10:B5:3C:34:C4 type:0x800 len:0x5EA
xxx -> xxx TCP TTL:64 TOS:0x0 ID:18112 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x9778355B Ack: 0x68E4B63F Win: 0x2D40 TcpLen: 32
TCP Options (3) => NOP NOP TS: 6583452 3692784


Also what kind of entries should i be worried about and do something about?Snort generates a fair few entries into its "alert" file!


thanks

ed.

Excellent. Snort has many different ways of logging info. Pro of ASCII logging is your get readable stuff w/o hassle, con is it's slower because Snort has to manage converting data to human readable format. Snort unified logging format and tcpdumps are faster. The unified logging format can be parsed by for instance Barnyard. Tcpdumps can be read by many apps including Snort (-r) to generate logging later on, Ethereal, Tcpflow to get Ethereal-like "conversations", Tcptrace, Tcpfilter, Tcpdump itself ofcourse etc etc.
Tcpdumps also come in handy when trying to establish if a Snort signature is generating false positives on certain rules.

Next to the Snort site docs, the Snort forum, the Snort mailinglists Google is your next target for finding info as usual. Specific stuff can also be found tru for instance Neohapsis.

About RFParalyze. Get the SID (Snort signature ID) [**] [1:1239:5] NETBIOS RFParalyze Attempt [**]: from http://www.snort.org/snort-db/sid.html?sid=1239 for more info. RFP ofcourse is "Rain Forest Puppy", this tool rfparalyze.c was meant to show a vulnerability in NetBIOS. Searching Packetstorm should get you to this text.


The alerts you should be interested in/"worry about" are those that you added to your snort.conf depending on platform, running networked daemons, suspicious traffic you received before you installed snort, recent exploits, attacks etc etc. Mind you, Snort can still generate *a lot* of false positives. If you can make sure the origin of the alert is "harmless" (being a wee bit paranoid goes a long way) you can start writing custom pass rules of attack a BPF filter.

Have fun.

Yes i am having fun!

cheers for ur response and ur links.

in regards to the format of the logfile, i have/am using ethereal which is very nice front end prog for packet sniffing, that was the reason i decided to use snort! Ethereal i found hard to filter out packets and to get exactly what i want, then the logfiles it generated (mainly due to the lack of filters) were huge and unmanagable, they took ages to analyze and slowed my system down heaps! So i started using snort!

my snort.conf is merely the deflaut one from snort.org, that would be my next question, anyone care to share their snort.conf file? I have read the snort documentation but i am lazy and often stupid!

Do ppl run snort as a daemon or whack it in the rc.local? i currentlly just start it up once the machine is online!


again thanks for ur help unSpawn

ed.

If you unset MAC and address resolution under preferences in Ethereal loading the dump should be faster. You can also process the dump first with tcpdump (-r), tack on a BPF filter to filter crud, and read the smaller output in Snort/Ethereal/whatever app. The most simple example of a BPF filter would be "and not src host <your public IP address>" which would get you all traffic except originating from your public IP address...

If you've got questions about your Snort config, just post your config here. I run Snort as a daemon, and in "one off" mode to process interesting dumps and verify downloaded new rulesets are OK.

// Btw, watch out calling yourself lazy (this one's for everyone posting here). Lemme explain. If you're lazy "the creative way" this would mean you're willing to go the extra mile to ensure you don't have to reinvent the wheel twice. That's cool. I fully support that.
OTOH if you're lazy in the negative sense as in "not willing to labour" etc etc this would mean you would rather let other ppl do your dirty jobs, leech but never give back, don't "study" but ask questions w/o even scanning the docs, etc etc you get it.

Personally (and a lot of ppl here with me, I'm sure) I deeply resent posts by ppl being lazy the bad way and if I even remotely sense that I'll drop those questions/replies to /dev/null.

hmm, yes i can see ur point regarding the interpretation of a lazy person, and in the future i shall refrain from that since the obvious intrepretation does definitely not represent me!

I will not attempt to justify why i am not lazy since credibility is hard to establish on a forum.

But i will say that since my career does not lie within IT or computers or Linux i am put at a serious disadvantage when trying to resolve a problem associated with linux! So the degree of expertise in my questions may lack somewhat.Hence i can definitely see how an attitude could develop regarding "lazy" ppl, this may or may not be correct.

Nonetheless, in my profession (engineering) the ability to research and solve problems by one's self is mandantory. I adhere to this strongly and incompentence is not tolerated. But when a customer/friend/collegue is in discussion with a design team they certianly do not call him lazy because of his lack of knowledge in that particular field!

anyway i think i missed ur point.. lol


thanks for ur comments though unSpawn u are certianly helpful!.

I have been using the default snort.conf since i downloaded the sofware recently and it is working great guns so far!


btw with ethereal i noticed the filter tab can be used with some ease but when i put a filter in for say "UDP" packets (gaming, which results in HEAPS of packets) it does not filter them.

How can u create a filter that will merely capture one particular type of packet like "netbios"?

filter strings i have tried are :

"UDP"
"NETBIOS"

and i cannot get more then one string!

anyone got a good filter string to work?

ed.

quote: "lazy the creative way"


lol

i like that, but there is a very fine line between the two u mentioned!

ed.

In ethereal, reading a dump, try "netbios" or "dst port netbios-ns or port netbios-dgm or port netbios-ssn". If you don't have the names in /etc/services use the protocol/port numbers from this, lookup list for example.

If this where a snort filter, try including rules for netbios (" gfind <snortrules dir> netbios") or try adding these lines in snort.conf:
ruletype log_netbios
{
type log
output log_tcpdump: netbios.dmp
}
log_netbios ip $EXTERNAL_NET any -> $HOME_NET 137:139 (msg: "NETBIOS"

Finally Snort also accepts BPF filters (-F):
BpfFilter="dst port netbios-ns or port netbios-dgm or port netbios-ssn" or numbered that's "dst port 137 or port 138 or port 139". Now start snort (or tcpdump) as snort <args> "$BpfFilter".

// I didn't say you're lazy, just cautioning using it, especially in the company of ppl you don't know I would consider using it bad P.R., after all it's commonly used as a negative attribute describing ppl. Wrt to me and msgboards in general it's fuelled by reading too many outrageous requests and replies, resulting in having something of a "guilty untill proven innocent" filter. That's bad to some extent, I agree.