Snort mailing list archives

Re: problem with Snort Alert Descriptions

From: beenph <beenph () gmail com>
Date: Wed, 1 May 2013 12:06:44 -0400

Hi John,

They are not the same alert.

Since in the first example the ET signature probably has a high signature
id. but it have a generator id of 1 since its a event.

While in your second example

Snort Alert [generator id : signature id : revision] generator id 129,
signature id 2 revision 1 is 129 || 2 || stream5: Data on SYN packet

Make sure that your sid-msg.map file and gen-msg.map file are up to date.

Unfortunately once inserted signature id are not updated by barnyard2, thus
you might need to manually update them
or the easy way arround is to delete your waldo file, move your old
unified2 file to the processing directory and let barnyard2
reprocess your events.

Hope this helps,
-elz





On Wed, May 1, 2013 at 11:55 AM, John Ainsworth <
john.ainsworth () thebookpeople co uk> wrote:

Hi****

** **

I have setup 2 snort servers with Base, barnyar2 and pulledpork****

** **

1 runs on Ubuntu 12.04 32bit , the other on Ubuntu 12.04 64 bit.****

** **

The actual snort config is identical between the 2 boxes****

** **

However in Base on the 32bit the alerts signature is correctly displaying
the friendly description for the alert****

Ie****

#0-(3-6)<http://10.0.0.96/base/base_qry_alert.php?submit=%230-%283-6%29&sort_order=>
****

[snort <http://www.snort.org/search/sid/1-2008597>] ET SCAN Cisco Torch
SNMP Scan ****

** **

But on the 64bit one any alerts triggered just show the signature id, not
the more friendly description****

#192-(3-404104)<http://10.3.0.41/base/base_qry_alert.php?submit=%23192-%283-404104%29&sort_order=>
****

[snort <http://www.snort.org/search/sid/129-2>] Snort Alert [129:2:1] ****

** **

** **

Im not sure the problem is linked to 32bit/64bit but it’s the only
difference between the way the servers were setup.****

Anyone any ideas on what to look at****

** **

Thanks****

John****
  --
<#13e60d20705eb1f3_> *John Ainsworth*  - IT Manager
01942 868097  (extension 1105)  07733 323091    <#13e60d20705eb1f3_> ASH<#13e60d20705eb1f3_>
James Herbert <#13e60d20705eb1f3_>
<http://www.thebookpeople.co.uk/webapp/wcs/stores/servlet/qs_searchResult_tbp?storeId=10001&catalogId=10051&langId=100&pageSize=20&pageNumber=0&searchTerm=AEYRF>
   This
Email and any attachments to it may be confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of The Book People Limited. If you are not the intended
recipient of this email, you must neither take any action based upon its
contents, nor copy or show it to anyone. Please contact the sender if you
believe you have received this email in error.


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

problem with Snort Alert Descriptions John Ainsworth (May 01)
- Re: problem with Snort Alert Descriptions beenph (May 01)
- Re: problem with Snort Alert Descriptions Y M (May 01)