Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Barnyard: classification off by one?

From: Dragos Ruiu <dr () kyx net>
Date: Sat, 5 Oct 2002 23:25:07 +0000

Classification config is hardwired into cerebus 1.4 - the upcoming release 
will enhance that but you should not use that as authoritative because 
that is a just pre-1.9snapshot of that layout and probably subject to change.
However you can use the output mode of cerebus... or the text dump output 
mode of the logtopcap util at http://dragos.com/cerebus/logtopcap.c (which
will also let you dump both alert and log files) to see in human readable
format what snort recorded in the output files in for the priority field
numerically - which should be unambiguous.

cheers,
--dr

On October 5, 2002 10:26 pm, Michael Scheidell wrote:

this is where change logs, and server configuration logs should be required
(by me!)
Three systems, identical (well, obviously not!)
Two systems show classification next that is NOT the same as was requested
md5 checksums on barnyard and classification.config are exact.
md5 checksums on snort are exact.

even cerebus shows it off by one when it reads the barnyard file.

what and where and how does snort send that info to barnyard?
does it send it an 'index' number? after reading the sid-map file?
I guess there could be problem if that 'index' number changed, ie a new
sid-msg file, right?

in fast.alert plugin for barnyard,
Version 0.1.0-rc2 (Build 11)
using released snort 1.9.0

old barnyard/snort ok: (do i keep a 'change log'?) ;-)
I kept pretty much up with beta's and rcs (except for snort 1.9)
(these put in to show it DID work at one time...) these are ok:
------------------------------------------------------------------------
08/11/02-18:23:39.755831  {TCP} 64.242.39.222:4222 -> 10.1.1.10:80
[**] [1:1243:6] WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]
[Xref => http://www.securityfocus.com/bid/1065]
[Xref => http://www.whitehats.com/info/IDS552]

started when I downloaded and installed (something?)

------------------------------------------------------------------------
08/11/02-22:17:03.263577  {TCP} 216.150.161.14:1588 -> 10.1.1.10:80
[**] [1:1256:6] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Misc activity] [Priority: 1]
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

(should be web-application-attack)

and in classification.config file, the reported classification is one below
the real one.

config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3

these are ALL off by one:
in fact, since 8/11, every one was off by one.

 (note: using DEFAULT classification.config and rules!, with the exception
of the off colour porn rulz one.)

09/26/02-12:46:49.526011  {TCP} 207.68.171.247:80 -> 10.1.1.112:1083
[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: A suspicious string was detected] [Priority: 1]

10/04/02-22:28:28.070771  {TCP} 207.18.92.26:1392 -> 208.237.120.134:80
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Misc activity] [Priority: 1]

------------------------------------------------------------------------
10/05/02-16:07:05.052871  {TCP} 207.46.249.61:80 -> 208.237.120.135:2280
[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: A suspicious string was detected] [Priority: 1]

------------------------------------------------------------------------
10/05/02-19:51:14.170117  {TCP} 207.68.132.10:80 -> 208.237.120.131:3667
[**] [1:649:5] SHELLCODE x86 setgid 0 [**]
[Classification: A TCP connection was detected] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS284]

Michael Scheidell
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
dr () kyx net   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: