RE: Base Barnyard and Unified Logs

["Lee Clemens" <snort () leeclemens net>]

anyone else get this?
(Sorry it's a bit off-topic with regards to Snort)

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Bad Signature from Invalid Key
*** Alert:    Signature did not verify. Message has been altered.
*** Alert:    Please verify signer's key before trusting signature.
*** Signer:   Wes Young <wcyoung () buffalo edu> (0x5B2BADB1)
*** Signed:   3/14/2005 5:49:56 PM
*** Verified: 3/14/2005 6:05:59 PM
*** BEGIN PGP VERIFIED MESSAGE ***
 
fingerprint for 0x5B2BADB1
334A E276 CC68 71F2 7912  37DD D4CE 68D0 5B2B ADB1

--Lee
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Wes Young
Sent: Monday, March 14, 2005 5:50 PM
To: Esler, Joel CNTR/Sytex
Cc: Paul Schmehl; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Base Barnyard and Unified Logs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I realize this. Which is why I stated (more than once) that Aanval (another
analyzation tool) resolves sids from the snort database w/o any issue or
needing to know where sid-msg.map is, even when re-initiallized.

I use snortcenter2x to manage my sensors, from this I have created a script
that autogenerates my sid-msg.map everytime barnyard starts from my rules
database.

IMO: I think I might need to re-write the mysql plugin for barnyard, there
are too many tedious ID's in there that are helping confuse the problem.
Everything *SHOULD* revolve around the rule SID... it seems like everythin
in the db has it's own type of ID, some needed, some...over duplicated, it
seems.

BASE alone seemes to look at teh SIG_ID and not the SID when it looks up the
sig name to generate its cache.... why would there be a need to generate a
seperate id for each sig in the signature table? To compound that, barnyard
doesn't generate the entire sig list into the DB on runtime, only when it's
needed, seems feasible, but what happens if you clear one of the tables....
you just F'd your entire setup becuase the SIG_ID starts back at 0 and your
SID stays the same, so BASE read's the SIG_NAME incorrectly (if at all) and
you're hosed... may not pose a problem for smaller db's that don't need that
sort of flexibility, but (again, IMO) seems like centralizing anything
dealing with signature resolution, evertying should revolve around the
SID....

I'm thinkin the reason why aanval seems to work is because it doesn't even
look at the SIG_ID, which BASE might.... I just can't find the code to prove
anything....(in BASE).

Esler, Joel CNTR/Sytex wrote:
| BASE gets it's info from the database.  What you put in the database 
| is up to you.  BASE reads it raw out of the database.  I agree with 
| everyone else, I think your sid-msg.map is messed up.  I would point 
| barnyard at your sid-msg.map that is updated.  (I would also recommend 
| using IDSPM to manage your rules and auto-fix your sid-msg.map)
|
| BASE does not read raw files, it will not read your sid-msg.map.  I 
| had a discussion with Marty recently about possibly generating the 
| sid-msg.map on startup, or some kind of method to autogenerate it so 
| this type of thing does not happen.
|
| Joel Esler
| BASE Project Lead
|
| On Mon, 2005-03-14 at 17:30 -0500, Wes Young wrote:
|
| I know... I have done that... which is why Aanval works...
|
| but Base Does not.... trying to figure that part out (where base gets 
| all it's info)
|
| Paul Schmehl wrote:
| | --On Monday, March 14, 2005 04:05:36 PM -0500 Wes Young 
| | <wcyoung () buffalo edu <mailto:wcyoung () buffalo edu>> wrote:
| |
| |>
| |> I thought barnyard uses the sid-msg.map to read the sid and then
inserts
| |> ~ the sig details to the DB, no? I don't specify the sid-msg.map
anywhere
| |> else, hense why Aanval works perfectly, but base, does not.
| |>
| | You *do* have to tell barnyard where the sid-msg.map is.  Otherwise 
| | it will not be able to parse the sids to msgs.
| |
| | You do it one of two ways:
| |
| | In the config file:
| | config sid-msg-map: /path/to/sig-msg.map
| |
| | On the commandline:
| | barnyard -s /path/to/sid-msg.map
| |
| | Paul Schmehl (pauls () utdallas edu <mailto:pauls () utdallas edu>) 
| | Adjunct Information Security Officer The University of Texas at 
| | Dallas AVIEN Founding Member http://www.utdallas.edu
| |
| |
|
| --
| Wes Young
| Network Security Analyst
| University at Buffalo
| GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html

- -------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
<http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click>
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

| --
| Esler, Joel CNTR/Sytex <joel.esler () rcert-s army mil 
| <mailto:joel.esler () rcert-s army mil>>


- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCNhUU1M5o0FsrrbERAuu0AJ9xQM75VhbG066nYyCphXcR2mrwGQCeJb1O
ih2UovvBZfz+gULXQPnCgzc=
=Kket
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users