At 01:49 PM 12/18/2002 +0530, you wrote:
>how to interpret logs generated by snort.

Read them with a text editor? :)

More seriously, if the majority of snort output isn't self explanatory, or
at least explanatory enough that you can ask some more specific questions
than that, then you're likely to need to learn a LOT more than I, or anyone
else, can convey in email. You'll probably need to read up a lot here.

It would be impossible to simplify snort to a level that someone who knows
nothing about networks could understand it. It's inherently complicated
information, but a good, well rounded systems admin or router admin should
already know enough to handle it, or at least know where to start looking
for answers.

There's some basic subjects you'll need to know about, and I'm going to try
to add some website links where you can read up a bit on each subject. If
you already know a good bit about this stuff, but just need some specific
information about certain ports/packet patterns, skip to number 5, and if
that doesn't help, post a specific question on this list.

         1)You'll need to understand some basics of IP, TCP, and UDP.
Things like destination addresses, source addresses, common ports, what TCP
SYN, FIN and RST mean, etc. The same kind of basic knowledge of the
internet you need to successfully configure a multi-interface router
applies here, although you don't need to know router syntax.
         A truly basic "intro to TCP/IP"
         http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM

         A reasonable looking TCP/IP FAQ:
         http://www.itprc.com/tcpipfaq/default.htm

         basics of firewalls, DMZ's, etc.
         http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Firewall-HOWTO.html

         2) You'll need to understand some basics of how network attacks
work. I'd Recommend skimming over "Smashing the Stack for fun and profit"
by Aleph one. A deep understanding isn't necessary, but a casual read of
this will give you some helpful basics in understanding the kinds of things
that happen in an attack, and give you a better understanding of what to
look for.
         http://www.insecure.org/stf/smashstack.txt

         3) also a good guide on securing systems is helpful, something
like this one:
         http://www.openna.com/products/books/sol/solus.php
         or this one:
         http://www.seifried.org/lasg/

         4) You'll need to understand the basics of internet servers, ie:
what DNS, HTTP, FTP, SMTP, etc are for. Most of that should be covered in
the various other references I've made here.

         5) here's an excellent reference on "oddball" traffic patterns
commonly seen at network borders, also very helpful
                 http://www.robertgraham.com/pubs/firewall-seen.html

-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]