Re: sid-msg.map

[Jeremy Hoel <jthoel () gmail com>]

Your first alert is for SID 24889, yet your search through rules and
sid-map is for 25568..  ??  Why was that?

When snorby shows the "Snort Alert.. blah blah". it's reading that
from the DB.  That information gets put into the DB from Barnyard2.

Barnyard2 reads the name of the rule from sid-msg.map (if it's
configured to read the right one).

When you update your rules (hopefully using pulledpork) it should
generate a new sid-msg.map.  Then you restart BY2 to read the new
file.

If that's not the process you are doing, or you haven't restarted BY2
in a while.. then that's the problem.

You can do a UPDATE mysql command to change the name of the rule in the DB.


On Thu, Mar 14, 2013 at 6:31 PM, Johnny Venter <johnny.venter () zoho com> wrote:
> I'm using Snorby as my front-end not sure if this question directly related
> to Snort or Snorby.
>
> Most of my alerts display the "msg" field, some do not
>
> For example I see the following alert in Snorby: Snort Alert [1:24889:1]
>
> Looking thru the rules and map files, I found this:
>
> exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval";
> flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri;
> pcre:"/\/[a-f0-9]{16}\/q\.php/U"; metadata:policy balanced-ips drop, policy
> security-ips drop, service http; reference:cve,2006-0003;
> reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992;
> reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559;
> reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188;
> reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889;
> reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;)
>
> sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page
> retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 ||
> cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 ||
> cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 ||
> cve,2008-0655 || cve,2007-5659 || cve,2006-0003
>
> Are the entries in "exploit-kit.rules" and "sid-msg.map" correct?
>
> I *did* find info running the following MySQL queries:
>
> select * from data where cid=25568;
> select * from event where cid=25568;
> select * from tcphdr  where cid=25568;
>
> …but did not find any msg info.  Any ideas??
>
> Thanks.
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!