Snort mailing list archives
Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified
From: JS <jspudz () yahoo com>
Date: Fri, 17 Dec 2010 09:31:02 -0800 (PST)
Kevin thanks for the info. I reviewed my setup and my startup script for barnyard2 and its barnyard.conf both point to the gen-msg.map and sid-msg.map files in the /etc/snort directory. Those files were updated when I updated with the snort 2.9.0.1 ruleset. This is uber confusing as I have been reading the "README" for stream5 from snort 2.9.0.2 and it only lists SID's for stream5 (generatorid 129) that go up to number 14. Yet somehow my snort install (version 2.9.0.2) is throwing a SID of 15??? As far as I can see this event sid (129-15) does not even exist in snort 2.9.0.2 according to the readme. Any thoughts on this? ________________________________ From: Kevin Ross <kevross33 () googlemail com> To: JS <jspudz () yahoo com>; snort-users () lists sourceforge net Sent: Fri, December 17, 2010 8:40:51 AM Subject: Re: [Snort-users] Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified You need to include your gen-msg.map file in barnyard.conf. What it means if a number and GID is showing in the name in base instead of a proper name is that it doesn't have a -msg.map file such as it is missing from sid-msg.map, gen-msg.map etc. If you include them to be used then the name will appear. You may enounter the same issue if you do not update your sid-msg.map file and alerts appear for stuff (if you don't do it by script). On 17 December 2010 15:43, JS <jspudz () yahoo com> wrote: All,
I recently decided to update my IDS(RHEL 5) to use the latest versions of snort, barnyard, and base. Previously this was all working fine. I am able to compile snort 2.9.0.2, barnyard2, and base 1.4.5 just fine. Everything is working except for a few signatures showing up in Base. They are logging fine to my db, its just that a few of the alerts are showing up as "unclassified" and the Signature is displaying as " Snort Alert [129:15:0] ". I also see the same events logged for signatures 120:3:0 and 129:16:0. Now I did use the snort rules 2.9.0.1 as 2.9.0.2 are not out yet so I'm not sure if that is causing a problem or not.. I also created a new db, from the create_mysql included in snort 2.9.0.2. I then copied over the sid-msg.map, gen-msg.map, classification.config, unicode.map, and reference.config to the /etc/snort directory that were included in snort.2.9.0.2 tar file. I looked in the gen-msg.map file and I only see it going up to "14" for the 129 stream5 event. Could this be the problem? Snippit below: --snippet from gen-msg.map-- 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 130 || 1 || dcerpc: Maximum memory usage reached 131 || 1 || dns: Obsolete DNS RData Type --end snippet-- Have I missed a step somewhere ? I have never seen this happen in my other snort deployments utilizing this same setup. Thanks, Joe ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Eoin Miller (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Russ Combs (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Joel Esler (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified JS (Dec 17)
- Re: Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified Kevin Ross (Dec 17)