Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort Alert [gid:sid:revision] instead of signature name Barnyard2

From: Joshua Roback <jroback () gmail com>
Date: Mon, 24 Oct 2016 13:58:39 +0000
I am running into an issue with Barnyard2 Version 2.1.13 (Build 327) and
Snort Version 2.9.6.0 GRE (Build 47) where if the classtype (sig_class_id
in the Snort database) changes for a signature, it will revert to the
generic sig_name format of "Snort Alert [GID:SID:REVISION]" rather than
using the real sig_name.

I was able to replicate on a lab device  Created a rule using sig_name
"Josh sid-map Test Rule" with a sig_sid of 4041974 and a classtype of
"misc-activity" (sig_class_id = 153).  I then generated the alert and then
changed the classtype in the rule to successful-admin (sig_class_id = 93)
and generated the alert again.  Here is the outcome.


mysql> select * from signature where sig_sid = '4041974';
+--------+---------------------------+--------------+--------------+---------+---------+---------+
| sig_id | sig_name                  | sig_class_id | sig_priority |
sig_rev | sig_sid | sig_gid |
+--------+---------------------------+--------------+--------------+---------+---------+---------+
|   1646 | Josh sid-map Test Rule    |          153 |            4 |
1 | 4041974 |       1 |
|   1651 | Snort Alert [1:4041974:1] |           93 |            4 |
1 | 4041974 |       1 |
+--------+---------------------------+--------------+--------------+---------+---------+---------+
2 rows in set (0.00 sec)

Searched when Internets and found some similar issues but nothing that
explained this issue.  Has anyone seen this before?  sig-msg.map and
gen-msg.map look correct.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: