[Snort-devel] barnyard syslog alerting + classification skew

Chris Baker extremis at ...1566...
Fri Sep 13 08:22:51 EDT 2002


I'm having an issue with barnyard syslog'ing the wrong classification
for a custom signature (I have not tested with standard signatures
yet, but this has been confirmed as a problem by others.)

Snort 1.9.0beta6
Barnyard RC2


:: local.rules
alert tcp any any -> any 80 (msg:"TEST blah.asp"; flags:A+; flow:to_server,estab lished; content: "/blah.asp"; nocase; classtype:successful-user; sid:50000; rev: 1;)

:: sid-msg.map
50000 || BLAH blah.asp access

:: classification.config
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1


I triggered my blah.asp rule:

Sep 13 09:13:59 serenity barnyard: [1:50000:1] BLAH blah.asp access [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} ->

Why am I getting "Attempted Administrator Privilege Gain?" As you can
tell in the classification.config, it is the classification following
the one I'm referencing through my rule. As a test, I changed my
classtype to "attempted-admin," and I got:

Sep 13 09:14:33 serenity barnyard: [1:50000:1] BLAH blah.asp access [Classification: Decode of an RPC Query] [Priority: 1] {TCP} -> 216.239

Looking in the classification.config one more time:

config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,

config classification: rpc-portmap-decode,Decode of an RPC Query,1
config classification: shellcode-detect,Executable code was detected,1

Here you can see a pattern. Barnyard logged the description from
rpc-port-map-decode instead of successful-admin. Again, this is the
entry following the one I am referencing.

Thank you,
Chris Baker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020913/cb66cbcc/attachment.sig>

More information about the Snort-devel mailing list