OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matt Kettler (mkettler_at_EVI-INC.COM)
Date: Wed Dec 18 2002 - 17:11:26 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At 01:49 PM 12/18/2002 +0530, you wrote:
    >how to interpret logs generated by snort.

    Read them with a text editor? :)

    More seriously, if the majority of snort output isn't self explanatory, or
    at least explanatory enough that you can ask some more specific questions
    than that, then you're likely to need to learn a LOT more than I, or anyone
    else, can convey in email. You'll probably need to read up a lot here.

    It would be impossible to simplify snort to a level that someone who knows
    nothing about networks could understand it. It's inherently complicated
    information, but a good, well rounded systems admin or router admin should
    already know enough to handle it, or at least know where to start looking
    for answers.

    There's some basic subjects you'll need to know about, and I'm going to try
    to add some website links where you can read up a bit on each subject. If
    you already know a good bit about this stuff, but just need some specific
    information about certain ports/packet patterns, skip to number 5, and if
    that doesn't help, post a specific question on this list.

             1)You'll need to understand some basics of IP, TCP, and UDP.
    Things like destination addresses, source addresses, common ports, what TCP
    SYN, FIN and RST mean, etc. The same kind of basic knowledge of the
    internet you need to successfully configure a multi-interface router
    applies here, although you don't need to know router syntax.
             A truly basic "intro to TCP/IP"
             http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM

             A reasonable looking TCP/IP FAQ:
             http://www.itprc.com/tcpipfaq/default.htm

             basics of firewalls, DMZ's, etc.
             http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Firewall-HOWTO.html

             2) You'll need to understand some basics of how network attacks
    work. I'd Recommend skimming over "Smashing the Stack for fun and profit"
    by Aleph one. A deep understanding isn't necessary, but a casual read of
    this will give you some helpful basics in understanding the kinds of things
    that happen in an attack, and give you a better understanding of what to
    look for.
             http://www.insecure.org/stf/smashstack.txt

             3) also a good guide on securing systems is helpful, something
    like this one:
             http://www.openna.com/products/books/sol/solus.php
             or this one:
             http://www.seifried.org/lasg/

             4) You'll need to understand the basics of internet servers, ie:
    what DNS, HTTP, FTP, SMTP, etc are for. Most of that should be covered in
    the various other references I've made here.

             5) here's an excellent reference on "oddball" traffic patterns
    commonly seen at network borders, also very helpful
                     http://www.robertgraham.com/pubs/firewall-seen.html

    -------------------------------------------------------
    This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
    Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
    MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
    T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users