Snort mailing list archives
Appearance of new custom alerts in BASE delayed
From: Black Lion via Snort-users <snort-users () lists snort org>
Date: Wed, 20 Jun 2018 15:07:45 +0200
Hello. I am running Snort 2.9.11.1 on Ubuntu Server 16.04. I am also running Barnyard2 2.1.14, BASE 1.4.5 and PulledPork 0.7.4. Whenever I add a custom rule in /etc/snort/rules/local.rules and do a test connection to trigger the custom alert, this alert does not appear in BASE right away. It appears after sometime has elapsed. Below is what I have done which results in the delay: - Added the below custom rule to /etc/snort/rules/local.rules: *alert tcp any any -> 192.168.1.97 3389 (msg:"RDP to server"; GID:1; sid:1000008; rev:001; classtype:misc-activity;)* - Ran PulledPork in order to add the custom rule to /etc/snort/sid-msg.map (the new entry has been added in sid-msg.map) - Restarted the snort and barnyard2 services - Connected to the snort database and ran the below line to check if barnyard2 has added the custom rule to the database: *SELECT * FROM snort.signature WHERE sig_name = 'RDP to server'';* (it took ~15 min before the custom rule was added to the database). - To test if the custom rule works, I connected to the server using Remote Desktop. - The interesting thing is that one of the downloaded Snort rules: *"ET POLICY RDP connection confirm"* appears in BASE as an alert, but my my custom alert does not appear in BASE. After a long delay, my custom alert eventually appears. What could be the reason that there is a delay with the added custom alert appearing in BASE? Is there a way to troubleshoot this?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Appearance of new custom alerts in BASE delayed Black Lion via Snort-users (Jun 20)