Re: PulledPork / Modifysid.conf Issues

[beenph <beenph () gmail com>]

While there is a few information missing below you will find a way to
fix this without mutch of a hassle.

A simple sql query should fix this. (and btw barnyard2 2-1.9 is old
you might want to consider to upgrade to current github master, but
thats an other topic).

1- Look if the signature is in the database: SELECT * FROM signature
WHERE sig_sid=15167;
2- Adjust signature:                                     UPDATE
signature SET sig_priority=3 WHERE sig_sid=15167;

And if you want to adjust priority for multiple signature adjust just
change the sig_sid argument of the sql expression.

 Also since you seem to change the classification, you might also want
to update that manually.

Enjoy.

-elz


On Thu, Sep 19, 2013 at 12:49 PM, Turnbough, Bradley E.
<bturnbough () belcan com> wrote:
> I'm not sure what you mean by 'it is already in the database' and to 'clear it out'
>
> Can you please clarify / provide a way to acheive that?
>
>
> ________________________________
> From: Turnbough, Bradley E.
> Sent: Thursday, September 19, 2013 10:29 AM
> To: snort-users () lists sourceforge net
> Subject: PulledPork / Modifysid.conf Issues
>
> Gents,
>
> Snort ---2.9.3.1
> Pulled Pork ---0.6.1
> Barnyard2 ---2.1.9
> Sonrby ---2.5.3
>
> Rule BEFORE Pulled Pork modifysid processing:
> ------------------------------------------------------------
> alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; 
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; 
> pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:policy security-ips drop, service 
> dns; classtype:trojan-activity; sid:15167; rev:11;)
>
> Rule after Pulled Pork modifysid processing:
> ------------------------------------------------------------
> alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; 
> content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; 
> pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:policy security-ips drop, service 
> dns; classtype:misc-activity; sid:15167; rev:11;)
>
> Modifysid.conf:
> ------------------------------------------------------------
> 15167 "classtype:trojan-activity" "classtype:misc-activity";
> 19020 "classtype:trojan-activity" "classtype:misc-activity";
> 15168 "classtype:trojan-activity" "classtype:misc-activity";
>
> Classification.conf:
> ------------------------------------------------------------
> config classification: misc-activity,Misc activity,3
>
>
> What I'm trying to achieve:
> ------------------------------------------------------------
> I want to reclassify the rule from a HIGH priority (1) to a LOW priority (3).  It appears that pulled pork is doing 
> its job, as I see the classification change in the rules file, but the event isn't being inserted by barnyard2 into 
> the snorby database with a LOW priority as per the rule classification.  This is the very first time I've done this 
> so I'm a bit confused as to why this is occurring.
>
> I've restarted both snort and also barnyard2, but no change in outcome.
>
>
> Ideas?
>
> Thanks,
>
> Brad
> _____________________________________________________________ This e-mail transmission contains information that is 
> confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail 
> in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any 
> disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the 
> message immediately by informing the sender that the message was misdirected. After replying, please erase it from 
> your computer system. Your assistance in correcting this error is appreciated.
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!