Snort mailing list archives
Re: reference tags: snort, bleeding sigs, database plugin,MySQL, BASE, somebody!
From: Kevin Johnson <kjohnson () secureideas net>
Date: Sat, 06 Aug 2005 14:59:59 -0400
On Wed, 2005-08-03 at 22:22 -0400, Jeff Kell wrote:
This may very well be a "known problem" or "not a bug, it's a feature", but I thought I would point out this little annoyance... Using the above combination, the resulting BASE alert displays the message text from the rule, and prefixes it with URL links for the reference tags (url, buqtraq, cve, etc). However, many of them are *NOT* properly linked with URL links, only the reference type "word" and no link. For example (using text, not pasting html, so bear with me), the bleeding-sig 2000900, which I'll twist around so the exact spacing of the reference tags are clear:
... snip ...
This is rendered in BASE with:[url] url url[snort] BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDPOnly the first [url] is really a hyperlink. The other two urls are, well, just the word url. The rendered html from BASE shows:
... snip ...
Apparently the reference: tags are pushed out in the opposite order they appear in the rule, but I don't care what order they come in. I just want the hyperlinks to survive intact - the 'url' words without a real hyperlink also drop any semblance of the original reference. What appears to cause this is the presence or absence of a space between the "reference:" in the rule and the reference type. e.g., 'reference:url,www.foo.bar' works, 'reference: url,www.foo.bar' fails. So I'm not sure who is at fault here :-) It shows up in BASE. But the underlying alert database is also at fault -- we find the reference types appear twice(!) -- once with a leading space, once without:
... snip ...
Could this be the database plugin? The sid-message.map file is consistent, so posting to the database via Barnyard might not have this behavior (I don't know, I don't have barnyard). Could this be snort parsing the reference tags in the rule differently? I don't feel up to source digging at the moment so that one will be left as an exercise for the reader (or a comment from sourcefire :-) ). The easy fix is to blame bleedingsnort for the occasional space after the reference: tag (which sourcefire doesn't appear to have), but this could wreak havoc on existing databases and archives. Doesn't particularly bother me, but might bother someone else. Comments? Jeff
Hi- I am not sure who to blame either... I think the rule parser should probably handle this but we should be displaying it correctly. I have checked a simple fix into CVS and it will be part of BASE 1.1.4 which should be released soon. I would greatly appreciate any testing of the fix you would be willing to do for us. Thanks Kevin --------------------- BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis!
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- reference tags: snort, bleeding sigs, database plugin,MySQL, BASE, somebody! Jeff Kell (Aug 03)
- Re: reference tags: snort, bleeding sigs, database plugin,MySQL, BASE, somebody! Kevin Johnson (Aug 06)