Snort mailing list archives
snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem
From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Fri, 27 Aug 2010 09:54:14 -0400
Hi, Found a problem where the following was returned from the snort.signature table for the following query: SELECT sig_id,sig_name FROM snort.signature WHERE sig_name like 'snort%'; '969', 'Snort Alert [138:2:0]' '443', 'Snort Alert [138:4:0]' '1181', 'Snort Alert [1:13974:0]' '1163', 'Snort Alert [1:14782:0]' '1251', 'Snort Alert [1:15114:0]' '1160', 'Snort Alert [1:16180:0]' '402', 'Snort Alert [1:2402000:0]' '420', 'Snort Alert [1:2402001:0]' '499', 'Snort Alert [1:2402000:0]' '549', 'Snort Alert [1:2402001:0]' '504', 'Snort Alert [1:2406085:0]' '531', 'Snort Alert [1:2406097:0]' '558', 'Snort Alert [1:2406011:0]' '628', 'Snort Alert [1:2406063:0]' '676', 'Snort Alert [1:2406010:0]' '498', 'Snort Alert [1:2406181:0]' '505', 'Snort Alert [1:2406189:0]' '601', 'Snort Alert [1:2406146:0]' '622', 'Snort Alert [1:2406144:0]' '625', 'Snort Alert [1:2406183:0]' '433', 'Snort Alert [1:2406242:0]' '529', 'Snort Alert [1:2406237:0]' '544', 'Snort Alert [1:2406281:0]' '576', 'Snort Alert [1:2406207:0]' '617', 'Snort Alert [1:2406260:0]' '666', 'Snort Alert [1:2406245:0]' '555', 'Snort Alert [1:2406361:0]' '564', 'Snort Alert [1:2406391:0]' '501', 'Snort Alert [1:2406493:0]' '568', 'Snort Alert [1:2406463:0]' '623', 'Snort Alert [1:2406418:0]' '624', 'Snort Alert [1:2406492:0]' '641', 'Snort Alert [1:2406489:0]' '503', 'Snort Alert [1:2406569:0]' '554', 'Snort Alert [1:2406595:0]' '570', 'Snort Alert [1:2406503:0]' '619', 'Snort Alert [1:2406542:0]' '643', 'Snort Alert [1:2406584:0]' '649', 'Snort Alert [1:2406594:0]' '661', 'Snort Alert [1:2406564:0]' '414', 'Snort Alert [1:2406649:0]' '415', 'Snort Alert [1:2406648:0]' '479', 'Snort Alert [1:2406614:0]' '516', 'Snort Alert [1:2406621:0]' '543', 'Snort Alert [1:2406608:0]' '574', 'Snort Alert [1:2406623:0]' '629', 'Snort Alert [1:2406641:0]' '630', 'Snort Alert [1:2406640:0]' '644', 'Snort Alert [1:2406612:0]' '668', 'Snort Alert [1:2406606:0]' '432', 'Snort Alert [1:2500036:0]' '435', 'Snort Alert [1:2500004:0]' '472', 'Snort Alert [1:2500024:0]' '473', 'Snort Alert [1:2500016:0]' '474', 'Snort Alert [1:2500030:0]' '494', 'Snort Alert [1:2500020:0]' '495', 'Snort Alert [1:2500098:0]' '552', 'Snort Alert [1:2500088:0]' '553', 'Snort Alert [1:2500099:0]' '559', 'Snort Alert [1:2500071:0]' '565', 'Snort Alert [1:2500077:0]' '566', 'Snort Alert [1:2500002:0]' '567', 'Snort Alert [1:2500063:0]' '581', 'Snort Alert [1:2500024:0]' '590', 'Snort Alert [1:2500008:0]' '616', 'Snort Alert [1:2500004:0]' '618', 'Snort Alert [1:2500022:0]' '652', 'Snort Alert [1:2500020:0]' '662', 'Snort Alert [1:2500016:0]' '667', 'Snort Alert [1:2500042:0]' '677', 'Snort Alert [1:2500030:0]' '416', 'Snort Alert [1:2500174:0]' '417', 'Snort Alert [1:2500135:0]' '477', 'Snort Alert [1:2500142:0]' '481', 'Snort Alert [1:2500124:0]' '483', 'Snort Alert [1:2500118:0]' '492', 'Snort Alert [1:2500100:0]' '493', 'Snort Alert [1:2500126:0]' '533', 'Snort Alert [1:2500150:0]' '550', 'Snort Alert [1:2500148:0]' '556', 'Snort Alert [1:2500168:0]' '571', 'Snort Alert [1:2500126:0]' '572', 'Snort Alert [1:2500182:0]' '573', 'Snort Alert [1:2500139:0]' '575', 'Snort Alert [1:2500154:0]' '586', 'Snort Alert [1:2500170:0]' '591', 'Snort Alert [1:2500162:0]' '592', 'Snort Alert [1:2500114:0]' '595', 'Snort Alert [1:2500106:0]' '596', 'Snort Alert [1:2500122:0]' '597', 'Snort Alert [1:2500176:0]' '609', 'Snort Alert [1:2500108:0]' '613', 'Snort Alert [1:2500104:0]' '614', 'Snort Alert [1:2500130:0]' '627', 'Snort Alert [1:2500166:0]' '632', 'Snort Alert [1:2500128:0]' '633', 'Snort Alert [1:2500102:0]' '634', 'Snort Alert [1:2500102:0]' '635', 'Snort Alert [1:2500120:0]' '639', 'Snort Alert [1:2500164:0]' '646', 'Snort Alert [1:2500110:0]' '475', 'Snort Alert [1:2500245:0]' '478', 'Snort Alert [1:2500266:0]' '496', 'Snort Alert [1:2500218:0]' '557', 'Snort Alert [1:2500211:0]' '594', 'Snort Alert [1:2500272:0]' '637', 'Snort Alert [1:2500232:0]' '638', 'Snort Alert [1:2500232:0]' '664', 'Snort Alert [1:2500208:0]' '665', 'Snort Alert [1:2500210:0]' '534', 'Snort Alert [1:2520138:0]' '377', 'Snort Alert [1:66666:0]' Barnyard2 is suppose to insert signature names like "NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt" into sig_name of the snort.signature table correct? So what happened? Better yet, how do we clean this mess up? We think Barnyard2 is not at fault, and the snort sid-msg.map and rules are the problem. Are we thinking in the correct direction? Thanks, Larry
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Lawrence R. Hughes, Sr. (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem JJC (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Lawrence R. Hughes, Sr. (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Joel Esler (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Nigel Houghton (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Lawrence R. Hughes, Sr. (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Joel Esler (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem Lawrence R. Hughes, Sr. (Aug 27)
- Re: snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem JJC (Aug 27)