Snort mailing list archives
Re: PulledPork / Modifysid.conf Issues
From: beenph <beenph () gmail com>
Date: Thu, 19 Sep 2013 13:18:09 -0400
While there is a few information missing below you will find a way to fix this without mutch of a hassle. A simple sql query should fix this. (and btw barnyard2 2-1.9 is old you might want to consider to upgrade to current github master, but thats an other topic). 1- Look if the signature is in the database: SELECT * FROM signature WHERE sig_sid=15167; 2- Adjust signature: UPDATE signature SET sig_priority=3 WHERE sig_sid=15167; And if you want to adjust priority for multiple signature adjust just change the sig_sid argument of the sql expression. Also since you seem to change the classification, you might also want to update that manually. Enjoy. -elz On Thu, Sep 19, 2013 at 12:49 PM, Turnbough, Bradley E. <bturnbough () belcan com> wrote:
I'm not sure what you mean by 'it is already in the database' and to 'clear it out' Can you please clarify / provide a way to acheive that? ________________________________ From: Turnbough, Bradley E. Sent: Thursday, September 19, 2013 10:29 AM To: snort-users () lists sourceforge net Subject: PulledPork / Modifysid.conf Issues Gents, Snort ---2.9.3.1 Pulled Pork ---0.6.1 Barnyard2 ---2.1.9 Sonrby ---2.5.3 Rule BEFORE Pulled Pork modifysid processing: ------------------------------------------------------------ alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:15167; rev:11;) Rule after Pulled Pork modifysid processing: ------------------------------------------------------------ alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:policy security-ips drop, service dns; classtype:misc-activity; sid:15167; rev:11;) Modifysid.conf: ------------------------------------------------------------ 15167 "classtype:trojan-activity" "classtype:misc-activity"; 19020 "classtype:trojan-activity" "classtype:misc-activity"; 15168 "classtype:trojan-activity" "classtype:misc-activity"; Classification.conf: ------------------------------------------------------------ config classification: misc-activity,Misc activity,3 What I'm trying to achieve: ------------------------------------------------------------ I want to reclassify the rule from a HIGH priority (1) to a LOW priority (3). It appears that pulled pork is doing its job, as I see the classification change in the rules file, but the event isn't being inserted by barnyard2 into the snorby database with a LOW priority as per the rule classification. This is the very first time I've done this so I'm a bit confused as to why this is occurring. I've restarted both snort and also barnyard2, but no change in outcome. Ideas? Thanks, Brad _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PulledPork / Modifysid.conf Issues Turnbough, Bradley E. (Sep 19)
- Re: PulledPork / Modifysid.conf Issues JJC (Sep 19)
- Re: PulledPork / Modifysid.conf Issues Y M (Sep 19)
- Re: PulledPork / Modifysid.conf Issues Turnbough, Bradley E. (Sep 19)
- Re: PulledPork / Modifysid.conf Issues beenph (Sep 19)
- Re: PulledPork / Modifysid.conf Issues Y M (Sep 23)
- Re: PulledPork / Modifysid.conf Issues Turnbough, Bradley E. (Sep 19)