Re: Event mismatch

[Anshuman Anil Deshmukh <anshuman () cybage com>]

Can anybody tell me the configuration file for Snorby for using the sid-msg.map file? Also please tell me configuration 
parameters for it. Any references?

Regards,
Anshuman

From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com]
Sent: Tuesday, August 5, 2014 11:41 PM
To: 'JJC'; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Event mismatch

ok.  I know my config for barnyard  & snort is referring the same file which is produced by pulledpork. But where do I 
tell Snorby to use the same sid-msg.map file? It is already configured to generate version 1 of sid-msg.map.


Regards,
Anshuman

From: JJC [mailto:cummingsj () gmail com]
Sent: Tuesday, August 5, 2014 8:22 PM
To: Anshuman Anil Deshmukh
Cc: Joel Esler (jesler); snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Event mismatch

Snorby needs to be using the sid-msg.map that pulledpork produces, you also need to be sure that you have your 
pulledpork configured to generate a version 1 (one) sid-msg.map as I do not think that Snorby is compatible with the 
new version that was designed for use with Barnyard.

JJC

On Tue, Aug 5, 2014 at 7:27 AM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:
Can anybody reply on this?


Regards,
Anshuman

From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com<mailto:anshuman () cybage com>]
Sent: Monday, August 4, 2014 10:59 PM
To: 'Joel Esler (jesler)'; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>

Subject: Re: [Snort-users] Event mismatch

Sorry for the encrypted mail which was recently sent by mistake. My apologies.

What I was saying was - which configuration file does Snorby refer in which the sid-msg.map file is specified?


Regards,
Anshuman

From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: Monday, August 4, 2014 8:42 PM
To: Anshuman Anil Deshmukh
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Event mismatch

Looks like Snorby is not reading from the correct sid-msg.map file.


On Aug 4, 2014, at 9:34 AM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:

Anybody on this? Is there any fix for this?


Regards,
Anshuman

From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com]
Sent: Wednesday, July 30, 2014 5:23 PM
To: snort-users mailinglist
Subject: [Snort-users] Event mismatch

Hi,

I am observing that an event shown in the snort terminal window appears in the Snorby console with a different 
description. Kindly see below output in the terminal window and refer attachment for same event how it appears in 
Snorby. This event appears in Snorby as “ssh: Gobbles exploit”. SIG & GID is same for both.

Has anybody encountered this issue?

Snort terminal window

[**] [128:1:1] (spp_ssh) Challenge-Response Overflow exploit [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
07/29-11:38:33.588575 <IP address removed>:53198 -> <IP address removed>:22
TCP TTL:64 TOS:0x8 ID:27261 IpLen:20 DgmLen:4180 DF
***A**** Seq: 0x6DCCC579  Ack: 0xFD13066A  Win: 0xEA80  TcpLen: 20
[Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640][Xref<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640%5d%5bXref>
 => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0639]

I have recently upgraded from Snort version 2.9.5 to 2.9.6.1 (it was compiled from source). After upgrade I have 
replaced the older version of files classification.config, gen.msg.map, reference.config & unicode.map.  Am I missing 
something which is causing this issue?

I use pulledpork version 0.7.0 to update my rules. I update text based rules & so_rules with pulledpork. I use barnyard 
2.1.9 (Build 263) - XFF patch (version 2). I am using mysql  ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) 
using readline 5.1.

Let me know in case any other information regarding my setup is needed.

Thanks.


Regards,
Anshuman


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com/>


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com/>
<Appearing in Snorbyt_mismatch.jpg>------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com>


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com>

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com>

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!