snort 2.8.6.1/base/ barnyard2 unified2 classification_id

["Lawrence R. Hughes, Sr." <lhughes () safemedia com>]

Hi,

I have noticed that snort populates the 32 bit field for the classification id in it's unified2 output, but barnyard2 
never inserts the classification id into the database?

Below is a snapshot from our mysql.log of all transactions between barnyard2 and mysql:

554 Query BEGIN

554 Query SELECT sig_id FROM signature WHERE sig_name = 'POLICY RDP attempted administrator connection request ' AND 
sig_rev = 4 AND sig_sid = 4060 AND sig_gid = 1

554 Query INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 8033026, 151, '2010-09-02 13:19:47')

554 Query INSERT INTO tcphdr (sid, cid, tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, 
tcp_csum, tcp_urp) VALUES (1,8033026,2485,3389,2993058147,3596227729,5,0,24,64240,13925,0)

554 Query INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, 
ip_ttl, ip_proto, ip_csum) VALUES (1,8033026,1610675175,1113420664,4,5,32,83,9580,0,0,51,6,6236)

554 Query INSERT INTO data (sid,cid,data_payload) VALUES 
(1,8033026,'0300002B26E00000000000436F6F6B69653A206D737473686173683D61646D696E6973747261746F720D0A')

554 Query COMMIT

So how does base know the class_id?





Thanks,

Larry


------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users