Next: Examine HTTP FTP or SMTP Sessions, Previous: Understand What Triggered the Alarm(s), Up: Analysis of Incidents and Alarms
While understanding the technical signature or policy "code" that "triggered" the alarm, it is also useful to understand the reason the trigger was built.
Since Snort© signatures are usually fairly well documented, one way to discover the intent of the signature is to search the web for the title of the signature using any of the common search engines (Yahoo, Google, Teoma, AltaVista, or one of the may others). For instance, a search on the MS SQL xp_cmdshell vulnerability yields ~7000 hits. One of those hits is:
Zone-H.org * Advisories ... Successful exploitation of this vulnerability can enable an attacker to execute commands in the system (via MS SQL xp_cmdshell function). ... www.zone-h.org/advisories/read/id=4243 - 17k - Cached - Similar pages
This web site give a fairly detailed description of the exploit and verifies that it can be used to root compromise a computer and hence, is a vulnerability of significant interest. Several other sites also give details about the signature, the attack, and other useful information.
Unfortunately, most of the embedded Bro rules have not been documented. The analyst must rely on his/her own understand of network attacks to guess what the intent of the rule is. Sometimes useful comments are written into the Bro policy source.