Re: PulledPork / Modifysid.conf Issues

[JJC <cummingsj () gmail com>]

This looks like a by2 issue... and one that the new sid-msg.map version two
should help address..... This being said, any by2 folks care to chime in
here?

JJC


On Thu, Sep 19, 2013 at 9:29 AM, Turnbough, Bradley E. <
bturnbough () belcan com> wrote:

> Gents,
>
> Snort ---2.9.3.1
> Pulled Pork ---0.6.1
> Barnyard2 ---2.1.9
> Sonrby ---2.5.3
>
> Rule BEFORE Pulled Pork modifysid processing:
> ------------------------------------------------------------
> alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE
> Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00
> 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0;
> pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i";
> metadata:policy security-ips drop, service dns; classtype:trojan-activity;
> sid:15167; rev:11;)
>
> Rule after Pulled Pork modifysid processing:
> ------------------------------------------------------------
> alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE
> Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00
> 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0;
> pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i";
> metadata:policy security-ips drop, service dns; classtype:misc-activity;
> sid:15167; rev:11;)
>
> Modifysid.conf:
> ------------------------------------------------------------
> 15167 "classtype:trojan-activity" "classtype:misc-activity";
> 19020 "classtype:trojan-activity" "classtype:misc-activity";
> 15168 "classtype:trojan-activity" "classtype:misc-activity";
>
> Classification.conf:
> ------------------------------------------------------------
> config classification: misc-activity,Misc activity,3
>
>
> What I'm trying to achieve:
> ------------------------------------------------------------
> I want to reclassify the rule from a HIGH priority (1) to a LOW priority
> (3).  It appears that pulled pork is doing its job, as I see the
> classification change in the rules file, but the event isn't being inserted
> by barnyard2 into the snorby database with a LOW priority as per the rule
> classification.  This is the very first time I've done this so I'm a bit
> confused as to why this is occurring.
>
> I've restarted both snort and also barnyard2, but no change in outcome.
>
>
> Ideas?
>
> Thanks,
>
> Brad
> _____________________________________________________________ This e-mail
> transmission contains information that is confidential and may be
> privileged. It is intended only for the addressee(s) named above. If you
> receive this e-mail in error, please do not read, copy or disseminate it in
> any manner. If you are not the intended recipient, any disclosure, copying,
> distribution or use of the contents of this information is prohibited.
> Please reply to the message immediately by informing the sender that the
> message was misdirected. After replying, please erase it from your computer
> system. Your assistance in correcting this error is appreciated.
>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!