Snort mailing list archives
Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id
From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Thu, 2 Sep 2010 17:52:36 -0400
Hi Paul, Thanks for your reply, going on your description: paul> The classification id is "embedded" in the db already. Each active signature paul> is registered with its class_id when it's read into snort during startup. When paul> a signature triggers, its sig_name ties to all the other values. I cleared my mysql.log, started barnyard2 then snort. I checked the mysql.log and it did not show where barnyard did anything you mentioned above at startup. Thanks, Larry ----- Original Message ----- From: "Paul Schmehl" <pschmehl_lists () tx rr com> To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>; <snort-users () lists sourceforge net> Sent: Thursday, September 02, 2010 5:20 PM Subject: Re: [Snort-users] snort 2.8.6.1/base/ barnyard2 unified2 classification_id
--On Thursday, September 02, 2010 14:35:42 -0400 "Lawrence R. Hughes, Sr." <lhughes () safemedia com> wrote:Hi, I have noticed that snort populates the 32 bit field for the classification id in it's unified2 output, but barnyard2 never inserts the classification id into the database?[snipped details]So how does base know the class_id?The classification id is "embedded" in the db already. Each active signature is registered with its class_id when it's read into snort during startup. When a signature triggers, its sig_name ties to all the other values. mysql> describe sig_class; +----------------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------------+------------------+------+-----+---------+----------------+ | sig_class_id | int(10) unsigned | NO | PRI | NULL | auto_increment | | sig_class_name | varchar(60) | NO | MUL | NULL | | +----------------+------------------+------+-----+---------+----------------+ 2 rows in set (0.02 sec) mysql> describe signature; +--------------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +--------------+------------------+------+-----+---------+----------------+ | sig_id | int(10) unsigned | NO | PRI | NULL | auto_increment | | sig_name | varchar(255) | NO | MUL | NULL | | | sig_class_id | int(10) unsigned | NO | MUL | NULL | | | sig_priority | int(10) unsigned | YES | | NULL | | | sig_rev | int(10) unsigned | YES | | NULL | | | sig_sid | int(10) unsigned | YES | | NULL | | | sig_gid | int(10) unsigned | YES | | NULL | | +--------------+------------------+------+-----+---------+----------------+ 7 rows in set (0.00 sec) mysql> select * from sig_class limit 25; +--------------+--------------------------+ | sig_class_id | sig_class_name | +--------------+--------------------------+ | 1 | trojan-activity | | 2 | misc-activity | | 3 | non-standard-protocol | | 4 | bad-unknown | | 5 | web-application-attack | | 6 | attempted-admin | | 7 | attempted-recon | | 8 | web-application-activity | | 9 | successful-recon-limited | | 10 | attempted-dos | | 11 | policy-violation | | 12 | rpc-portmap-decode | | 13 | protocol-command-decode | | 14 | string-detect | | 15 | misc-attack | | 16 | shellcode-detect | | 17 | successful-admin | +--------------+--------------------------+ 17 rows in set (0.00 sec) mysql> select count(sig_name) from signature; +-----------------+ | count(sig_name) | +-----------------+ | 685 | +-----------------+ 1 row in set (0.00 sec) mysql> select sig_name, sig_class_id from signature where sig_name like '%et trojan%' limit 5; +-------------------------------------------------------------+--------------+ | sig_name | sig_class_id | +-------------------------------------------------------------+--------------+ | "ET TROJAN Torpig Reporting User Activity (wur8)" | 1 | | "ET TROJAN Torpig Reporting User Activity (x25)" | 1 | | "ET TROJAN Torpig Infection Reporting" | 1 | | "ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo or Similar" | 1 | | "ET TROJAN Torpig Infection Reporting" | 1 | +-------------------------------------------------------------+--------------+ 5 rows in set (0.00 sec) mysql> select sig_id, signature.sig_class_id, sig_name from signature, sig_class where signature.sig_class_id=sig_class.sig_class_id and sig_name like '%et trojan%' limit 5; +--------+--------------+-------------------------------------------------------------+ | sig_id | sig_class_id | sig_name | +--------+--------------+-------------------------------------------------------------+ | 304 | 1 | "ET TROJAN Torpig Reporting User Activity (wur8)" | | 305 | 1 | "ET TROJAN Torpig Reporting User Activity (x25)" | | 306 | 1 | "ET TROJAN Torpig Infection Reporting" | | 309 | 1 | "ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo or Similar" | | 338 | 1 | "ET TROJAN Torpig Infection Reporting" | +--------+--------------+-------------------------------------------------------------+ 5 rows in set (0.00 sec) -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Paul Schmehl (Sep 02)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Paul Schmehl (Sep 03)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Paul Schmehl (Sep 02)