Snort mailing list archives
Re: barnyard looses details WRT ACID?
From: Bamm Visscher <bamm () satx rr com>
Date: Mon, 15 Mar 2004 19:15:57 -0600
You need to update your sid-msg.map. Barnyard relies on it to pull the "message" info. format is: signature ID || Message like: 1000004 || LOCAL Idiot Test Bammkkkk On Tue, Mar 16, 2004 at 01:14:16PM +1300, Jason Haar wrote:
I'm starting to use barnyard to allow me to create a "central server" containing all the events from our Snort network. I've got the data coming over fine - and it imports fine via barnyard. However, when I go to ACID to view it, a strange thing can be seen. Most of the entries look 100% fine - but a few show up with bizarre description names of "Snort Alert [1:XXXXXXX:0]" - where XXXXXXX is the SID. e.g I have this Blaster rule alert tcp any any -> any 135:139 (msg:"Possible dcom*.c EXPLOIT ATTEMPT to 135-139"; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 0000|";reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:1101000; rev:1;resp: rst_all;) That shows up as "Snort Alert [1:1101000:0]" instead of "Possible dcom...". Within the actual "real" Snort IDS box, it has "Possible dcom..." - so this problem is related more to barnyard than snort I guess... Snort 2.1.1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- barnyard looses details WRT ACID? Jason Haar (Mar 15)
- Re: barnyard looses details WRT ACID? Bamm Visscher (Mar 15)
- Re: barnyard looses details WRT ACID? AJ Butcher, Information Systems and Computing (Mar 16)
- Re: barnyard looses details WRT ACID? Bamm Visscher (Mar 15)