Snort mailing list archives
Re: Alert Information Missing for alerts using barnyard2
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Fri, 20 May 2011 10:01:49 +0530
Hi, Got it working. I had forgotten to restart Barnyard2 On Thu, May 19, 2011 at 6:53 PM, beenph <beenph () gmail com> wrote:
Snort Alert [3:13573:0] Means [gid:sid:revision] gid being Generator ID sid being Signature ID and revision being revision. The alert your seeing comes from a pre-compiled rule. On Thu, May 19, 2011 at 5:25 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:Hi, I used pulled pork to manage my rules and generate sid-msg file. I alsousedBarnyard2 to write the output to the database. On running snort, for all SO_rules (GID=3), the alert gets logged a sfollows Snort Alert [3:13573:0] I gathered from previous discussion that this happens when sid-msg fileisincomplete so barnyard does not know how to interpret an alert Snort is started using /usr/sbin/snort -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Barnyard2 is started using /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D Grepping for 13573 in sid-msg.map gives # grep "13573" /etc/snort/sid-msg.map 13573 || WEB-CLIENT Microsoft Outlook arbitrary command line attempt || url,www.microsoft.com/technet/security/bulletin/MS08-015.mspx || cve,2008-0110 So all information is there, then why is Barnyard 2 not using the same info?? P.S. Somebody suggested that this info should be in gen-msg.map file butIthink that gen-msg.map file keeps a tab on source of alert rather than actual sid. So GID - 3 will be looked up in gen-msg.map to get "Snort Dynamic Alert" while 13573 should be looked up in sid-msg.map to getalertinfo and references. Regards, Dheeraj------------------------------------------------------------------------------What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- To iterate is human.To recurse, divine!
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert Information Missing for alerts using barnyard2 Dheeraj Gupta (May 19)
- Re: Alert Information Missing for alerts using barnyard2 Lay, James (May 19)
- Message not available
- Re: Alert Information Missing for alerts using barnyard2 Dheeraj Gupta (May 19)