Understanding the Snort alert log

Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.

Below is an example event from the Snort alert file from /var/log directory:

[**] [1:2403478:40303] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90 [**]
[Classification: Misc Attack] [Priority: 2]
05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]

The alert log entry can be broken down as the following:

[**] [1:2403478:40303]
The Detection mechanism, Signature ID (SID) and signature revision. The SID (the middle number) has information about most of the signatures. The revision is minor release version of the signature.

If the SID is less than 1000000, this is a SourceFire signature (https://www.snort.org/rule_docs). If the SID is between 1000000 and 2000000, this is a snort community rule. If the SID is between 2000000 and 3000000, this is an Emerging Threats signature (https://emergingthreats.net). Lastly, if the SID is any other range, it will be a custom signature.

ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90
This is one example of a Snort signature. In this case, the Emerging Threat (ET) from the CINS Active Threat Intelligence – Sentinel IPS engine, and has detected a bad IP classification based on poor IP reputation (widely reported and blocked IPs).

[Classification: Misc Attack] [Priority: 2]
The classification of the signature, in this case the signature is classed as an miscellaneous attack with a priority of 2. Snort priorities range from 0 (lowest priority) up to 10 (highest priority.

05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
The month/day and timestamp of the signature event followed by the source IP address with port number, to the destination port number. Example denotes XX.XX.XX.XX as the IP address and :xx as the port number.

TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
The IP header for the signature event. Displays the Time-to-Live (TTL), Type of Service (TOS), identifier (ID), the IP length (IpLen) and the datagram length – inclusive of headers and payload (DgmLen).

******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
The IP header flags (S for SYN), the IP sequence ID (seq), Acknowledgement (ACK), sequence window (Win) and the TCP length (TcpLen).

[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]
The signature reference for further information.

Installing Modern Honey Network (Ubuntu)

Install Git

  • $ sudo apt-get install git -y

Install MHN

  • $ cd /opt/
  • $ sudo git clone https://github.com/threatstream/mhn.git
  • $ cd mhn/
  • $ sudo ./install.sh


MHN Configuration
Do you wish to run in Debug mode?: y/n n
Superuser password:
Server base url [“”]:
Honeymap url [“”]:
Mail server address [“localhost”]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [“”]:
Mail server password [“”]:
Mail default sender [“”]:
Path for log file [“mhn.log”]:


user@precise64:/opt/mhn/scripts$ sudo /etc/init.d/nginx status
* nginx is running
user@precise64:/opt/mhn/scripts$ sudo /etc/init.d/supervisor status
is running
user@precise64:/opt/mhn/scripts$ sudo supervisorctl status
geoloc RUNNING pid 31443, uptime 0:00:12
honeymap RUNNING pid 30826, uptime 0:08:54
hpfeeds-broker RUNNING pid 10089, uptime 0:36:42
mhn-celery-beat RUNNING pid 29909, uptime 0:18:41
mhn-celery-worker RUNNING pid 29910, uptime 0:18:41
mhn-collector RUNNING pid 7872, uptime 0:18:41
mhn-uwsgi RUNNING pid 29911, uptime 0:18:41
mnemosyne RUNNING pid 28173, uptime 0:30:08