Snort mailing list archives
Re: Sig_reference table issue
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 21 Nov 2016 14:15:15 +0000
The error pretty much describes what is going on. If you are using pulledpork to download your ruleset it should generate your sid-msg.map for you, which in turn should be read by barnyard2 upon start up. This will eliminate this error and cause your rules to be named correctly in the DB. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Nov 21, 2016, at 1:34 AM, shekhar $on! <rajnish.soni89 () gmail com<mailto:rajnish.soni89 () gmail com>> wrote: Can someone tell me what i have to do to get a response from your side ? On Fri, Nov 18, 2016 at 7:03 PM, shekhar $on! <rajnish.soni89 () gmail com<mailto:rajnish.soni89 () gmail com>> wrote: Hi All, To add more on this issue, i tested further and found that whenever any rule matches, this type of alert got generated for that gid and sid. INFO [dbProcessSignatureInformation()]: [Event: 59] with [gid: 1] [sid: 10009003] [rev: 1] [classification: 0] [priority: 0] was not found in barnyard2 signature cache, this could lead to display inconsistency. To prevent this warning, make sure that your sid-msg.map and gen-msg.map file are up to date with the snort process logging to the spool file. The new inserted signature will not have its information present in the sig_reference table. Note that the message inserted in the signature table will be snort default message "Snort Alert [gid:sid:revision]" You can always update the message via a SQL query if you want it to be displayed correctly by your favorite interface Due to this my BASE is not showing proper signature name and the no of such event is the signature table get increased. Please someone reply as i have some urgent delivery pending due to this error. On Fri, Nov 18, 2016 at 2:14 PM, shekhar $on! <rajnish.soni89 () gmail com<mailto:rajnish.soni89 () gmail com>> wrote: Hi All, My sig_reference table is not updating with signature name.Its showing Default Snort Alert instead of signature name. Can someone help me here. | 154975 | Snort Alert [116:412:1] | 181 | 3 | 1 | 412 | 116 | | 154976 | Snort Alert [116:414:1] | 181 | 3 | 1 | 414 | 116 | | 154977 | Snort Alert [122:23:1] | 156 | 2 | 1 | 23 | 122 | | 154978 | Snort Alert [116:408:1] | 181 | 3 | 1 | 408 | 116 | | 154979 | Snort Alert [116:431:1] | 181 | 3 | 1 | 431 | 116 | | 154980 | Snort Alert [122:24:1] | 156 | 2 | 1 | 24 | 122 | | 154981 | Snort Alert [129:12:1] | 155 | 2 | 1 | 12 | 129 | | 154982 | Snort Alert [1:1917:15] | 175 | 3 | 15 | 1917 | 1 | | 154983 | Snort Alert [1:24303:6] | 181 | 3 | 6 | 24303 | 1 | | 154984 | Snort Alert [116:6:1] | 178 | 3 | 1 | 6 | 116 | | 154985 | Snort Alert [129:15:1] | 155 | 2 | 1 | 15 | 129 | | 154986 | Snort Alert [122:22:1] | 156 | 2 | 1 | 22 | 122 | | 154987 | Snort Alert [122:21:1] | 156 | 2 | 1 | 21 | 122 | | 154988 | Snort Alert [128:4:1] | 177 | 2 | 1 | 4 | 128 | | 154989 | Snort Alert [116:445:1] | 155 | 2 | 1 | 445 | 116 | | 154990 | Snort Alert [1:2329:14] | 161 | 1 | 14 | 2329 | 1 | +--------+--------------------------------------------------------------------------------------------------------------------------------------------+--------------+--------------+---------+---------+---------+ ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Sig_reference table issue shekhar $on! (Nov 18)
- Re: Sig_reference table issue shekhar $on! (Nov 18)
- Re: Sig_reference table issue shekhar $on! (Nov 20)
- Re: Sig_reference table issue Joel Esler (jesler) (Nov 21)
- Re: Sig_reference table issue shekhar $on! (Nov 20)
- Re: Sig_reference table issue shekhar $on! (Nov 18)