9.23. Decoding Snort Alert Messages
Problem
You want to understand a Snort alert message.
Solution
Consult the Snort signature database at http://www.snort.org/snort-db, using the signature ID as an index, or searching based on the text message. Most alerts are described in detail, and many include links to other NIDS databases with even more information, such as the arachNIDS database at http://www.whitehats.com.
Discussion
Let’s decode an alert message produced when Snort detects a port scan by nmap [Recipe 9.13]:
Mar 18 19:40:52 whimsy snort[3115]: [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: <eth1> {ICMP} 10.120.66.1 -> 10.22.33.106
Breaking apart this single line, we first have the usual syslog information:
Mar 18 19:40:52 whimsy snort[3115]:
which includes a timestamp, the hostname where Snort was running, and the Snort identifier with its process ID. Next we have:
[1:469:1] ICMP PING NMAP
In this portion of the alert, the first number, 1, is a
generator ID, and identifies the Snort
subsystem that produced the alert. The value 1 means Snort itself.
The next number, 469, is a signature ID that identifies the alert,
and corresponds to the subsequent text message (ICMP PING
NMAP
). The final number, 1, is a version for the alert.
If the alert were produced by a Snort preprocessor, it would have a higher value for the generator ID, and the name of the preprocessor would be listed in parentheses before the text message. For example:
[111:10:1] (spp_stream4) ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.