Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: reference tags: snort, bleeding sigs, database plugin,MySQL, BASE, somebody!

From: Kevin Johnson <kjohnson () secureideas net>
Date: Sat, 06 Aug 2005 14:59:59 -0400
On Wed, 2005-08-03 at 22:22 -0400, Jeff Kell wrote:

This may very well be a "known problem" or "not a bug, it's a feature", but I thought I would point out this little 
annoyance...

Using the above combination, the resulting BASE alert displays the message text from the rule, and prefixes it with 
URL links for the reference tags (url, buqtraq, cve, etc).  However, many of them are *NOT* properly linked with URL 
links, only the reference type "word" and no link.

For example (using text, not pasting html, so bear with me), the bleeding-sig 2000900, which I'll twist around so the 
exact spacing of the reference tags are clear:



... snip ... 


This is rendered in BASE with:


[url] url url[snort] BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDP


Only the first [url] is really a hyperlink.  The other two urls are, well, just the word url.  The rendered html from 
BASE shows:



... snip ... 


Apparently the reference: tags are pushed out in the opposite order they appear in the rule, but I don't care what 
order they come in.  I just want the hyperlinks to survive intact - the 'url' words without a real hyperlink also 
drop any semblance of the original reference.

What appears to cause this is the presence or absence of a space between the "reference:" in the rule and the 
reference type.  e.g., 'reference:url,www.foo.bar' works, 'reference: url,www.foo.bar' fails.

So I'm not sure who is at fault here :-)  It shows up in BASE.  But the underlying alert database is also at fault -- 
we find the reference types appear twice(!) -- once with a leading space, once without:



... snip ... 


Could this be the database plugin?  The sid-message.map file is consistent, so posting to the database via Barnyard 
might not have this behavior (I don't know, I don't have barnyard).

Could this be snort parsing the reference tags in the rule differently?  I don't feel up to source digging at the 
moment so that one will be left as an exercise for the reader (or a comment from sourcefire :-) ).

The easy fix is to blame bleedingsnort for the occasional space after the reference: tag (which sourcefire doesn't 
appear to have), but this could wreak havoc on existing databases and archives.  Doesn't particularly bother me, but 
might bother someone else.

Comments?  

Jeff


Hi-

I am not sure who to blame either... I think the rule parser should
probably handle this but we should be displaying it correctly.  I have
checked a simple fix into CVS and it will be part of BASE 1.1.4 which
should be released soon.  I would greatly appreciate any testing of the
fix you would be willing to do for us.

Thanks
Kevin
---------------------
BASE Project Lead
http://sourceforge.net/projects/secureideas
http://base.secureideas.net
The next step in IDS analysis!

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: