Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id

From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Thu, 2 Sep 2010 17:52:36 -0400
Hi Paul,

Thanks for your reply, going on your description:

paul> The classification id is "embedded" in the db already.  Each active 
signature
paul> is registered with its class_id when it's read into snort during 
startup.  When
paul> a signature triggers, its sig_name ties to all the other values.

I cleared my mysql.log, started barnyard2 then snort.

I checked the mysql.log and it did not show where barnyard did anything you 
mentioned above at startup.


Thanks,
Larry



----- Original Message ----- 
From: "Paul Schmehl" <pschmehl_lists () tx rr com>
To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>; 
<snort-users () lists sourceforge net>
Sent: Thursday, September 02, 2010 5:20 PM
Subject: Re: [Snort-users] snort 2.8.6.1/base/ barnyard2 unified2 
classification_id



--On Thursday, September 02, 2010 14:35:42 -0400 "Lawrence R. Hughes, Sr." 
<lhughes () safemedia com> wrote:



Hi,

I have noticed that snort populates the 32 bit field for the 
classification
id in it's unified2 output, but barnyard2 never inserts the 
classification id
into the database?


[snipped details]


So how does base know the class_id?



The classification id is "embedded" in the db already.  Each active 
signature is registered with its class_id when it's read into snort during 
startup.  When a signature triggers, its sig_name ties to all the other 
values.

mysql> describe sig_class;
+----------------+------------------+------+-----+---------+----------------+
| Field          | Type             | Null | Key | Default | Extra 
|
+----------------+------------------+------+-----+---------+----------------+
| sig_class_id   | int(10) unsigned | NO   | PRI | NULL    | 
auto_increment |
| sig_class_name | varchar(60)      | NO   | MUL | NULL    | 
|
+----------------+------------------+------+-----+---------+----------------+
2 rows in set (0.02 sec)

mysql> describe signature;
+--------------+------------------+------+-----+---------+----------------+
| Field        | Type             | Null | Key | Default | Extra 
|
+--------------+------------------+------+-----+---------+----------------+
| sig_id       | int(10) unsigned | NO   | PRI | NULL    | auto_increment 
|
| sig_name     | varchar(255)     | NO   | MUL | NULL    | 
|
| sig_class_id | int(10) unsigned | NO   | MUL | NULL    | 
|
| sig_priority | int(10) unsigned | YES  |     | NULL    | 
|
| sig_rev      | int(10) unsigned | YES  |     | NULL    | 
|
| sig_sid      | int(10) unsigned | YES  |     | NULL    | 
|
| sig_gid      | int(10) unsigned | YES  |     | NULL    | 
|
+--------------+------------------+------+-----+---------+----------------+
7 rows in set (0.00 sec)

mysql> select * from sig_class limit 25;
+--------------+--------------------------+
| sig_class_id | sig_class_name           |
+--------------+--------------------------+
|            1 | trojan-activity          |
|            2 | misc-activity            |
|            3 | non-standard-protocol    |
|            4 | bad-unknown              |
|            5 | web-application-attack   |
|            6 | attempted-admin          |
|            7 | attempted-recon          |
|            8 | web-application-activity |
|            9 | successful-recon-limited |
|           10 | attempted-dos            |
|           11 | policy-violation         |
|           12 | rpc-portmap-decode       |
|           13 | protocol-command-decode  |
|           14 | string-detect            |
|           15 | misc-attack              |
|           16 | shellcode-detect         |
|           17 | successful-admin         |
+--------------+--------------------------+
17 rows in set (0.00 sec)

mysql> select count(sig_name) from signature;
+-----------------+
| count(sig_name) |
+-----------------+
|             685 |
+-----------------+
1 row in set (0.00 sec)

mysql> select sig_name, sig_class_id from signature where sig_name like 
'%et trojan%' limit 5;
+-------------------------------------------------------------+--------------+
| sig_name                                                    | 
sig_class_id |
+-------------------------------------------------------------+--------------+
| "ET TROJAN Torpig Reporting User Activity (wur8)"           | 
1 |
| "ET TROJAN Torpig Reporting User Activity (x25)"            | 
1 |
| "ET TROJAN Torpig Infection Reporting"                      | 
1 |
| "ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo or Similar" | 
1 |
| "ET TROJAN Torpig Infection Reporting"                      | 
1 |
+-------------------------------------------------------------+--------------+
5 rows in set (0.00 sec)

mysql> select sig_id, signature.sig_class_id, sig_name from signature, 
sig_class where signature.sig_class_id=sig_class.sig_class_id and sig_name 
like '%et trojan%' limit 5;
+--------+--------------+-------------------------------------------------------------+
| sig_id | sig_class_id | sig_name |
+--------+--------------+-------------------------------------------------------------+
|    304 |            1 | "ET TROJAN Torpig Reporting User Activity 
(wur8)" |
|    305 |            1 | "ET TROJAN Torpig Reporting User Activity (x25)" 
|
|    306 |            1 | "ET TROJAN Torpig Infection Reporting" |
|    309 |            1 | "ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo 
or Similar" |
|    338 |            1 | "ET TROJAN Torpig Infection Reporting" |
+--------+--------------+-------------------------------------------------------------+
5 rows in set (0.00 sec)

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson




------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: