Snort mailing list archives

Re: sid-msg.map

From: "johnny.venter" <johnny.venter () zoho com>
Date: Tue, 19 Mar 2013 06:24:07 -0700

Sorry, 
 
I had multiple alerts with the same issue and had the corresponding SID's in a list. The sid 25568 is the correct one. 

Do you know where this information is contained?  I've tried multiple MySQL queries, but cannot find the correct 
location.

Thank you.

---- On Thu, 14 Mar 2013 11:39:24 -0700 Jeremy Hoel wrote ----

Your first alert is for SID 24889, yet your search through rules and 
sid-map is for 25568.. ?? Why was that? 

When snorby shows the "Snort Alert.. blah blah". it's reading that 
from the DB. That information gets put into the DB from Barnyard2. 

Barnyard2 reads the name of the rule from sid-msg.map (if it's 
configured to read the right one). 

When you update your rules (hopefully using pulledpork) it should 
generate a new sid-msg.map. Then you restart BY2 to read the new 
file. 

If that's not the process you are doing, or you haven't restarted BY2 
in a while.. then that's the problem. 

You can do a UPDATE mysql command to change the name of the rule in the DB. 


On Thu, Mar 14, 2013 at 6:31 PM, Johnny Venter wrote:

I'm using Snorby as my front-end not sure if this question directly related 
to Snort or Snorby. 

Most of my alerts display the "msg" field, some do not 

For example I see the following alert in Snorby: Snort Alert [1:24889:1] 

Looking thru the rules and map files, I found this: 

exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; 
flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri; 
pcre:"//[a-f0-9]{16}/q.php/U"; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; reference:cve,2006-0003; 
reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; 
reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; 
reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; 
reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; 
reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;) 

sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page 
retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 || 
cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || 
cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 || 
cve,2008-0655 || cve,2007-5659 || cve,2006-0003 

Are the entries in "exploit-kit.rules" and "sid-msg.map" correct? 

I *did* find info running the following MySQL queries: 

select * from data where cid=25568; 
select * from event where cid=25568; 
select * from tcphdr where cid=25568; 

…but did not find any msg info. Any ideas?? 

Thanks. 



------------------------------------------------------------------------------ 
Everyone hates slow websites. So do we. 
Make your web apps faster with AppDynamics 
Download AppDynamics Lite for free today: 
http://p.sf.net/sfu/appdyn_d2d_mar 
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 

Please visit http://blog.snort.org to stay current on all the latest Snort 
news!



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

sid-msg.map Johnny Venter (Mar 14)
- Re: sid-msg.map Jeremy Hoel (Mar 14)
  - Re: sid-msg.map johnny.venter (Mar 19)
    - Re: sid-msg.map Y M (Mar 19)
- Re: sid-msg.map beenph (Mar 14)
- Re: sid-msg.map Joel Esler (Mar 19)