Snort mailing list archives

snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem

From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Fri, 27 Aug 2010 09:54:14 -0400

Hi,

Found a problem where the following was returned from the snort.signature table for the following query:

SELECT sig_id,sig_name FROM snort.signature WHERE sig_name like 'snort%';

'969', 'Snort Alert [138:2:0]'
'443', 'Snort Alert [138:4:0]'
'1181', 'Snort Alert [1:13974:0]'
'1163', 'Snort Alert [1:14782:0]'
'1251', 'Snort Alert [1:15114:0]'
'1160', 'Snort Alert [1:16180:0]'
'402', 'Snort Alert [1:2402000:0]'
'420', 'Snort Alert [1:2402001:0]'
'499', 'Snort Alert [1:2402000:0]'
'549', 'Snort Alert [1:2402001:0]'
'504', 'Snort Alert [1:2406085:0]'
'531', 'Snort Alert [1:2406097:0]'
'558', 'Snort Alert [1:2406011:0]'
'628', 'Snort Alert [1:2406063:0]'
'676', 'Snort Alert [1:2406010:0]'
'498', 'Snort Alert [1:2406181:0]'
'505', 'Snort Alert [1:2406189:0]'
'601', 'Snort Alert [1:2406146:0]'
'622', 'Snort Alert [1:2406144:0]'
'625', 'Snort Alert [1:2406183:0]'
'433', 'Snort Alert [1:2406242:0]'
'529', 'Snort Alert [1:2406237:0]'
'544', 'Snort Alert [1:2406281:0]'
'576', 'Snort Alert [1:2406207:0]'
'617', 'Snort Alert [1:2406260:0]'
'666', 'Snort Alert [1:2406245:0]'
'555', 'Snort Alert [1:2406361:0]'
'564', 'Snort Alert [1:2406391:0]'
'501', 'Snort Alert [1:2406493:0]'
'568', 'Snort Alert [1:2406463:0]'
'623', 'Snort Alert [1:2406418:0]'
'624', 'Snort Alert [1:2406492:0]'
'641', 'Snort Alert [1:2406489:0]'
'503', 'Snort Alert [1:2406569:0]'
'554', 'Snort Alert [1:2406595:0]'
'570', 'Snort Alert [1:2406503:0]'
'619', 'Snort Alert [1:2406542:0]'
'643', 'Snort Alert [1:2406584:0]'
'649', 'Snort Alert [1:2406594:0]'
'661', 'Snort Alert [1:2406564:0]'
'414', 'Snort Alert [1:2406649:0]'
'415', 'Snort Alert [1:2406648:0]'
'479', 'Snort Alert [1:2406614:0]'
'516', 'Snort Alert [1:2406621:0]'
'543', 'Snort Alert [1:2406608:0]'
'574', 'Snort Alert [1:2406623:0]'
'629', 'Snort Alert [1:2406641:0]'
'630', 'Snort Alert [1:2406640:0]'
'644', 'Snort Alert [1:2406612:0]'
'668', 'Snort Alert [1:2406606:0]'
'432', 'Snort Alert [1:2500036:0]'
'435', 'Snort Alert [1:2500004:0]'
'472', 'Snort Alert [1:2500024:0]'
'473', 'Snort Alert [1:2500016:0]'
'474', 'Snort Alert [1:2500030:0]'
'494', 'Snort Alert [1:2500020:0]'
'495', 'Snort Alert [1:2500098:0]'
'552', 'Snort Alert [1:2500088:0]'
'553', 'Snort Alert [1:2500099:0]'
'559', 'Snort Alert [1:2500071:0]'
'565', 'Snort Alert [1:2500077:0]'
'566', 'Snort Alert [1:2500002:0]'
'567', 'Snort Alert [1:2500063:0]'
'581', 'Snort Alert [1:2500024:0]'
'590', 'Snort Alert [1:2500008:0]'
'616', 'Snort Alert [1:2500004:0]'
'618', 'Snort Alert [1:2500022:0]'
'652', 'Snort Alert [1:2500020:0]'
'662', 'Snort Alert [1:2500016:0]'
'667', 'Snort Alert [1:2500042:0]'
'677', 'Snort Alert [1:2500030:0]'
'416', 'Snort Alert [1:2500174:0]'
'417', 'Snort Alert [1:2500135:0]'
'477', 'Snort Alert [1:2500142:0]'
'481', 'Snort Alert [1:2500124:0]'
'483', 'Snort Alert [1:2500118:0]'
'492', 'Snort Alert [1:2500100:0]'
'493', 'Snort Alert [1:2500126:0]'
'533', 'Snort Alert [1:2500150:0]'
'550', 'Snort Alert [1:2500148:0]'
'556', 'Snort Alert [1:2500168:0]'
'571', 'Snort Alert [1:2500126:0]'
'572', 'Snort Alert [1:2500182:0]'
'573', 'Snort Alert [1:2500139:0]'
'575', 'Snort Alert [1:2500154:0]'
'586', 'Snort Alert [1:2500170:0]'
'591', 'Snort Alert [1:2500162:0]'
'592', 'Snort Alert [1:2500114:0]'
'595', 'Snort Alert [1:2500106:0]'
'596', 'Snort Alert [1:2500122:0]'
'597', 'Snort Alert [1:2500176:0]'
'609', 'Snort Alert [1:2500108:0]'
'613', 'Snort Alert [1:2500104:0]'
'614', 'Snort Alert [1:2500130:0]'
'627', 'Snort Alert [1:2500166:0]'
'632', 'Snort Alert [1:2500128:0]'
'633', 'Snort Alert [1:2500102:0]'
'634', 'Snort Alert [1:2500102:0]'
'635', 'Snort Alert [1:2500120:0]'
'639', 'Snort Alert [1:2500164:0]'
'646', 'Snort Alert [1:2500110:0]'
'475', 'Snort Alert [1:2500245:0]'
'478', 'Snort Alert [1:2500266:0]'
'496', 'Snort Alert [1:2500218:0]'
'557', 'Snort Alert [1:2500211:0]'
'594', 'Snort Alert [1:2500272:0]'
'637', 'Snort Alert [1:2500232:0]'
'638', 'Snort Alert [1:2500232:0]'
'664', 'Snort Alert [1:2500208:0]'
'665', 'Snort Alert [1:2500210:0]'
'534', 'Snort Alert [1:2520138:0]'
'377', 'Snort Alert [1:66666:0]'

Barnyard2 is suppose to insert signature names like "NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow 
attempt" into sig_name of the snort.signature table correct?

So what happened? 

Better yet, how do we clean this mess up?

We think Barnyard2 is not at fault, and  the snort sid-msg.map and rules are the problem.

Are we thinking in the correct direction?

Thanks,
Larry

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Lawrence R. Hughes, Sr. (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem JJC (Aug 27)
  - Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Lawrence R. Hughes, Sr. (Aug 27)
    - Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Joel Esler (Aug 27)
    - Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Nigel Houghton (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Joel Esler (Aug 27)
  - Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Lawrence R. Hughes, Sr. (Aug 27)