Re: [Nepenthes-devel] Nepenthes log
Status: Beta
Brought to you by:
nepenthesdev
Menu
▾
▴
Re: [Nepenthes-devel] Nepenthes log
|
From: Kees T. <kee...@su...> - 2009-07-28 09:44:34
|
Hi, I would think Start means the start of the connection (seconds since Epoch) and Finish means the end of the connection. I'm guessing RX is information about the Received traffic and TX is information about the Transmitted traffic. I think LUID and ISock are just identifiers, not very useful information for us. Sometimes emulation fails because the incoming connection is not an attack or it's an attack that is not detected by Nepenthes. There's not much you can do about this. Regards, Kees Trippelvitz Alperen ÿffffdeirin wrote: > Enabling log-attack module provides some information about the > attacks, but I don't know how to interpret the data in the attack > logs. Here is a sample from attack logs: > > Socket|LUID=0x80a69e0|Start=1248773826.528347|Finish=1248773837.462022|Status=CONNECTED|Proto=TCP|Type=INCOMING|Local=xxx.xxx.xxx.xxx:445|Remote=xxx.xxx.xxx.xxx:50134|RX=9,1340,bf3f23479900dde93cbd230d47f04b59|TX=8,952,a591bc42a98d8fdf631f2c4a55bb0653|Dumpfile=bf3f23479900dde93cbd230d47f04b59 > Shellcode|LUID=0x80a8598|Start=1248773826.552421|Finish=1248773826.552708|Type=UNKNOWN|Emulation=FAILURE|Handler=|ISock=0x80a69e0|MD5=0d05727b5c00dcec8bf8cb2841aff833|Trigger=MS04-007 > ASN.1 Decoding (SMB_NEGOTIATE) > Shellcode|LUID=0x80a7bf8|Start=1248773826.824332|Finish=1248773826.824857|Type=UNKNOWN|Emulation=FAILURE|Handler=|ISock=0x80a69e0|MD5=e7a51247a4115f8f6c8929cb9510bb59|Trigger=MS04-007 > ASN..1 Decoding (SMB_NEGOTIATE) > Shellcode|LUID=0x80a8d40|Start=1248773827.117834|Finish=1248773827.118544|Type=UNKNOWN|Emulation=FAILURE|Handler=|ISock=0x80a69e0|MD5=fca6001a401d0588ff6d28d28ae60da9|Trigger=MS08-067 > Server Service > > Now I have some questions about attack logs, > > What do the fields like LUID, Start, Finish, RX, TX, ISock mean? > > Why can't I read the dump files in the 'connections' directory with > tcpdump, how can I read them? > > Why is the emulation failed? Looking at the detailed log in > nepenthes.log, I couldn't figure out why. > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > ------------------------------------------------------------------------ > > _______________________________________________ > Nepenthes-devel mailing list > Nep...@li... > https://lists.sourceforge.net/lists/listinfo/nepenthes-devel > |