[Bro] False positive
Angelita de Cássia Corrêa
angelita at uol.com.br
Fri Jul 22 10:35:44 PDT 2005
Hi Jason,
I need to understand more the alert, the definition of each column.
In your example, could you explain me what each column means?
Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14
Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14
Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14
Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14
Date/time: Sep 18 06:51:42
Duration of de connection: 0.153497
Origin IP: 131.243.2.87
Victim IP: 131.243.2.13
Victim Protocol: http
???: 2077
Victim Port: 80
Transport Protocol: tcp
???: 66
???: 239 *** (is this the alert SID0?)
???: RSTO
???: X
???: %14
Does the bro use SID to identify the alert description?
Thanks
Angelita
----- Original Message -----
From: "Jason Lee" <jrlee at lbl.gov>
To: "Angelita de Cássia Corrêa" <angelita at uol.com.br>
Sent: Tuesday, July 19, 2005 1:41 PM
Subject: Re: [Bro] False positive
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Angelita,
>
> The logs are already in a human readable format, and they should look
> something like (from a conn.log (with altered ips)):
>
> 1000821101.824702 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14
> 1000821101.979825 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14
> 1000821102.143502 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14
> 1000821102.299239 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14
>
> hf just resolves the hostnames in the file:
> % ./hf /tmp/foozer
> 1000821101.824702 0.153497 foobar wakko http 2077 80 tcp 66 239 RSTO X %14
> 1000821101.979825 0.162454 foobar wakko http 2087 80 tcp 70 604 RSTO X %14
> 1000821102.143502 0.153911 foobar wakko http 2100 80 tcp 80 604 RSTO X %14
> 1000821102.299239 0.165501 foobar wakko http 2115 80 tcp 80 604 RSTO X %14
>
> and cf just changes the unix timestamp to a more readable format:
> % ./cf /tmp/foozer
> Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14
> Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14
> Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14
> Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14
>
> the manual explains all the various flags and the format of the log files.
>
> Cheers,
> jason
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFC3S0u37vOcEqHLkARApnMAJ9MRFQuWpAt1F0LIdZSdoT68wwXJgCcCXCO
> xGzMSjIPdY6JsUw5doh04uI=
> =w4bS
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050722/298363c4/attachment.html
More information about the Bro
mailing list