Snort mailing list archives
Re: sid-msg.map
From: Y M <snort () outlook com>
Date: Tue, 19 Mar 2013 14:42:55 +0000
The reason that you would see something like Snort Alert [1:24889:1] instead of the proper signature name is that when the alert was triggered, it did not have its own entry in the sid-msg.map to be stored into the "signature" table in "snort" database. The ultimate solution to that is to use PulledPork to generate your sid-msg.map file as Joel suggested. To update existing entries that don't have the proper signature name for I would suggest: running the following SQL statement against Snort database; by replacing the xxx with the signature sid you are looking for: SELECT * FROM signature WHERE sig_sid=xxx; This will return the record you are looking for. Then you can update the "sig_name" column with the appropriate signature name, either inline or by issuing an UPDATE statement. YM> Date: Tue, 19 Mar 2013 06:24:07 -0700
From: johnny.venter () zoho com To: jthoel () gmail com CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] sid-msg.map Sorry, I had multiple alerts with the same issue and had the corresponding SID's in a list. The sid 25568 is the correct one. Do you know where this information is contained? I've tried multiple MySQL queries, but cannot find the correct location. Thank you. ---- On Thu, 14 Mar 2013 11:39:24 -0700 Jeremy Hoel wrote ----Your first alert is for SID 24889, yet your search through rules and sid-map is for 25568.. ?? Why was that? When snorby shows the "Snort Alert.. blah blah". it's reading that from the DB. That information gets put into the DB from Barnyard2. Barnyard2 reads the name of the rule from sid-msg.map (if it's configured to read the right one). When you update your rules (hopefully using pulledpork) it should generate a new sid-msg.map. Then you restart BY2 to read the new file. If that's not the process you are doing, or you haven't restarted BY2 in a while.. then that's the problem. You can do a UPDATE mysql command to change the name of the rule in the DB. On Thu, Mar 14, 2013 at 6:31 PM, Johnny Venter wrote:I'm using Snorby as my front-end not sure if this question directly related to Snort or Snorby. Most of my alerts display the "msg" field, some do not For example I see the following alert in Snorby: Snort Alert [1:24889:1] Looking thru the rules and map files, I found this: exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri; pcre:"//[a-f0-9]{16}/q.php/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;) sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 || cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 || cve,2008-0655 || cve,2007-5659 || cve,2006-0003 Are the entries in "exploit-kit.rules" and "sid-msg.map" correct? I *did* find info running the following MySQL queries: select * from data where cid=25568; select * from event where cid=25568; select * from tcphdr where cid=25568; …but did not find any msg info. Any ideas?? Thanks. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid-msg.map Johnny Venter (Mar 14)
- Re: sid-msg.map Jeremy Hoel (Mar 14)
- Re: sid-msg.map johnny.venter (Mar 19)
- Re: sid-msg.map Y M (Mar 19)
- Re: sid-msg.map johnny.venter (Mar 19)
- Re: sid-msg.map beenph (Mar 14)
- Re: sid-msg.map Joel Esler (Mar 19)
- Re: sid-msg.map Jeremy Hoel (Mar 14)