Analayse snort IDS警报 [英] Analayse snort IDS alerts

问题描述

Hi
i有这样的snort IDS提醒（日志）

Hi i have snort IDS alerts(logs) like this

[**] [1:2123:2] ATTACK-RESPONSES Microsoft cmd.exe banner [**]
[Classification: Successful Administrator Privilege Gain] [Priority: 1] 
03/09-19:43:56.034979 66.59.111.182:80 -> xxx:60134
TCP TTL:45 TOS:0x0 ID:45583 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0x5314DE4 Ack: 0xC70EBBC2 Win: 0x198C TcpLen: 32
TCP Options (3) => NOP NOP TS: 193196204 1313605945 
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]

[**] [1:498:6] ATTACK-RESPONSES id check returned root [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
03/09-20:46:19.176514 64.151.140.130:80 -> xxx:62038
TCP TTL:52 TOS:0x0 ID:42702 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0x13E85710 Ack: 0x6F91FBB5 Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1894901317 1313613431 

[**] [1:1417:2] SNMP request udp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
06/17-08:44:41.865372 192.168.1.7:33156 -> 192.168.1.1:161
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:121 DF
Len: 93
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012]

...

但是我不知道那些字段的含义。

有人帮忙吗？

but i don't know the meaning of that fields.
is there anyone to help?

推荐答案

技术上不是开发问题。

最好的方法是查看Snort文档本身。

这里： Snort用户手册 [ ^ ]

Technically not a development question.
Best way is to look at Snort documentation itself.
Here: Snort Users Manual[^]

这篇关于Analayse snort IDS警报的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！