Re: sid-msg.map

[Y M <snort () outlook com>]

The reason that you would see something like Snort Alert [1:24889:1] instead of the proper signature name is that when 
the alert was triggered, it did not have its own entry in the sid-msg.map to be stored into the "signature" table in 
"snort" database. The ultimate solution to that is to use PulledPork to generate your sid-msg.map file as Joel 
suggested. To update existing entries that don't have the proper signature name for I would suggest: running the 
following SQL statement against Snort database; by replacing the xxx with the signature sid you are looking for: SELECT 
* FROM signature WHERE sig_sid=xxx; This will return the record you are looking for. Then you can update the "sig_name" 
column with the appropriate signature name, either inline or by issuing an UPDATE statement.  YM> Date: Tue, 19 Mar 
2013 06:24:07 -0700
> From: johnny.venter () zoho com
> To: jthoel () gmail com
> CC: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] sid-msg.map
>
> Sorry, 
>  
> I had multiple alerts with the same issue and had the corresponding SID's in a list. The sid 25568 is the correct 
> one. 
>
> Do you know where this information is contained?  I've tried multiple MySQL queries, but cannot find the correct 
> location.
>
> Thank you.
>
> ---- On Thu, 14 Mar 2013 11:39:24 -0700 Jeremy Hoel wrote ---- 
>  
> > Your first alert is for SID 24889, yet your search through rules and 
> > sid-map is for 25568.. ?? Why was that? 
> >
> > When snorby shows the "Snort Alert.. blah blah". it's reading that 
> > from the DB. That information gets put into the DB from Barnyard2. 
> >
> > Barnyard2 reads the name of the rule from sid-msg.map (if it's 
> > configured to read the right one). 
> >
> > When you update your rules (hopefully using pulledpork) it should 
> > generate a new sid-msg.map. Then you restart BY2 to read the new 
> > file. 
> >
> > If that's not the process you are doing, or you haven't restarted BY2 
> > in a while.. then that's the problem. 
> >
> > You can do a UPDATE mysql command to change the name of the rule in the DB. 
> >
> >
> > On Thu, Mar 14, 2013 at 6:31 PM, Johnny Venter wrote: 
> > > I'm using Snorby as my front-end not sure if this question directly related 
> > > to Snort or Snorby. 
> > >
> > > Most of my alerts display the "msg" field, some do not 
> > >
> > > For example I see the following alert in Snorby: Snort Alert [1:24889:1] 
> > >
> > > Looking thru the rules and map files, I found this: 
> > >
> > > exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> > > (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; 
> > > flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri; 
> > > pcre:"//[a-f0-9]{16}/q.php/U"; metadata:policy balanced-ips drop, policy 
> > > security-ips drop, service http; reference:cve,2006-0003; 
> > > reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; 
> > > reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; 
> > > reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; 
> > > reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; 
> > > reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;) 
> > >
> > > sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page 
> > > retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 || 
> > > cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || 
> > > cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 || 
> > > cve,2008-0655 || cve,2007-5659 || cve,2006-0003 
> > >
> > > Are the entries in "exploit-kit.rules" and "sid-msg.map" correct? 
> > >
> > > I *did* find info running the following MySQL queries: 
> > >
> > > select * from data where cid=25568; 
> > > select * from event where cid=25568; 
> > > select * from tcphdr where cid=25568; 
> > >
> > > …but did not find any msg info. Any ideas?? 
> > >
> > > Thanks. 
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------ 
> > > Everyone hates slow websites. So do we. 
> > > Make your web apps faster with AppDynamics 
> > > Download AppDynamics Lite for free today: 
> > > http://p.sf.net/sfu/appdyn_d2d_mar 
> > > _______________________________________________ 
> > > Snort-users mailing list 
> > > Snort-users () lists sourceforge net 
> > > Go to this URL to change user options or unsubscribe: 
> > > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > > Snort-users list archive: 
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort 
> > > news! 
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!