Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Barnyard2 and Snorby alert classification

From: beenph <beenph () gmail com>
Date: Sat, 19 Jan 2013 08:34:09 -0500
Didin't you send the exact same e-mail with a diffrent e-mail address to
the list 3 day ago?



On Wed, Jan 16, 2013 at 8:06 AM, Federico Carbonell <
federico_carbonell () bactssa com ar> wrote:


**
Hi everyone, I have this issue, maybe someone can help.

I'm running Snort 2.9.4 along with Barnyard2 2.1.9 and Snorby 2.5.4 as a
frontend. My problems is
that I cannot match any snort rule classification with Snorby severity.

For example, I have this rule in Snort:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP login
attempt"; flow:established,to_client; content:"530 "; depth:4;
metadata:policy security-ips alert; reference:url,
www.ietf.org/rfc/rfc0959.txt; sid:13360; rev:3; priority:10;)

As you can see, at the end of a line I assign a priority of 10 to that
rule; when I trigger
the rule, by entering a wrong password to an ftp server, the alert log
shows this:

01/15-16:51:10.580376  [**] [1:13360:3] POLICY failed FTP login attempt
[**] [Priority: 10] {TCP} 192.3.3.11:21 -> 192.3.3.225:64730

We can see that the priority 10 was there. But I have Snort configured
also to write the alerts
to unified2; then Barnyard pools the data there and writes them to a
database. Later on, Snorby (the frontend), shows the data that is stored on
that table, in a fancy style...

When I check the same alert on Snorby, the severity of that alert is set
to 3, wich means is a low
priority alert. Of course I want to change that, but any modification that
I made on Snort priority
doesn't show up on Snorby.

As Snorby only shows the data written on the database, I checked what was
written for that alert:

mysql> select sid,cid,signature,timestamp,id,sig_priority,sig_name from
events_with_join order by timestamp desc limit 2;

+-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+
| sid | cid     | signature | timestamp           | id   | sig_priority |
sig_name                                           |

+-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+
|   1 | 2563231 |        32 | 2013-01-16 10:01:10 | 1558 |            3 |
POLICY failed FTP login attempt                    |

So, it seems that Barnyard2, responsible for taking the data from the
unified archive and writing to the database is (?)
assigning a sig_priority of 3, which is not correct.

Perhaps someone has the same issue and can enlighten me...

Thanks!
  --

Federico Carbonell
*IT Infrastructure and Security Manager**Buenos Aires Container Terminal Services S.A.*
Tel: 54-11-4510-9884
Fax: 54-11-4510-9891
Email: federico_carbonell () bactssa com ar

 <http://www.facebook.com/grandlucayan> <http://twitter.com/@GrandLucayan>

 <http://www.grandlucayan.com/>

------------------------------------------------------------------------------------
The message represents the personal views and opinion of the individual sender and
under no circumstances represents those of Hutchison Port Holdings Limited ("HPH")
or its Group Companies. The shareholders, directors and management of HPH and any of
its Group Companies accept no responsibility and accordingly shall have no liability
to any party whatsoever with respect to the contents of this message.

This message (including any attachments) is intended only for the use of the
addressee(s) named above. It may contain information that is PRIVILEGED and
CONFIDENTIAL and should not be read, copied or otherwise used by any other person.

If you are not the intended recipient, you are hereby notified that any use,
retention, disclosure, copying, printing, forwarding or dissemination of this
communication is strictly prohibited. If you have received this communication in error,
please erase all copies of the message and its attachments and notify us immediately.
-------------------------------------------------------------------------------------



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: