Snort mailing list archives
Re: sid-msg.map
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 14 Mar 2013 18:39:24 +0000
Your first alert is for SID 24889, yet your search through rules and sid-map is for 25568.. ?? Why was that? When snorby shows the "Snort Alert.. blah blah". it's reading that from the DB. That information gets put into the DB from Barnyard2. Barnyard2 reads the name of the rule from sid-msg.map (if it's configured to read the right one). When you update your rules (hopefully using pulledpork) it should generate a new sid-msg.map. Then you restart BY2 to read the new file. If that's not the process you are doing, or you haven't restarted BY2 in a while.. then that's the problem. You can do a UPDATE mysql command to change the name of the rule in the DB. On Thu, Mar 14, 2013 at 6:31 PM, Johnny Venter <johnny.venter () zoho com> wrote:
I'm using Snorby as my front-end not sure if this question directly related to Snort or Snorby. Most of my alerts display the "msg" field, some do not For example I see the following alert in Snorby: Snort Alert [1:24889:1] Looking thru the rules and map files, I found this: exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/q\.php/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;) sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 || cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 || cve,2008-0655 || cve,2007-5659 || cve,2006-0003 Are the entries in "exploit-kit.rules" and "sid-msg.map" correct? I *did* find info running the following MySQL queries: select * from data where cid=25568; select * from event where cid=25568; select * from tcphdr where cid=25568; …but did not find any msg info. Any ideas?? Thanks. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid-msg.map Johnny Venter (Mar 14)
- Re: sid-msg.map Jeremy Hoel (Mar 14)
- Re: sid-msg.map johnny.venter (Mar 19)
- Re: sid-msg.map Y M (Mar 19)
- Re: sid-msg.map johnny.venter (Mar 19)
- Re: sid-msg.map beenph (Mar 14)
- Re: sid-msg.map Joel Esler (Mar 19)
- Re: sid-msg.map Jeremy Hoel (Mar 14)