[Snort-devel] barnyard syslog alerting + classification skew

Andrew R. Baker andrewb at ...835...
Fri Sep 13 13:48:02 EDT 2002


Chris Baker wrote:
> Summary:
> 
> I'm having an issue with barnyard syslog'ing the wrong classification
> for a custom signature (I have not tested with standard signatures
> yet, but this has been confirmed as a problem by others.)
> 
> Versions:
> Snort 1.9.0beta6
> Barnyard RC2
> 
> Configs:
> 
> :: local.rules
> alert tcp any any -> any 80 (msg:"TEST blah.asp"; flags:A+; flow:to_server,estab lished; content: "/blah.asp"; nocase; classtype:successful-user; sid:50000; rev: 1;)
> 
> :: sid-msg.map
> 50000 || BLAH blah.asp access
> 
> :: classification.config
> config classification: successful-user,Successful User Privilege Gain,1
> config classification: attempted-admin,Attempted Administrator Privilege Gain,1
> 
> Details:
> 
> I triggered my blah.asp rule:
> 
> Sep 13 09:13:59 serenity barnyard: [1:50000:1] BLAH blah.asp access [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 24.242.237.197:56557 -> 216.239.37.101:80
> 
> Why am I getting "Attempted Administrator Privilege Gain?" As you can
> tell in the classification.config, it is the classification following
> the one I'm referencing through my rule. As a test, I changed my
> classtype to "attempted-admin," and I got:
> 
> Sep 13 09:14:33 serenity barnyard: [1:50000:1] BLAH blah.asp access [Classification: Decode of an RPC Query] [Priority: 1] {TCP} 24.242.237.197:53894 -> 216.239
> .51.101:80
> 
> Looking in the classification.config one more time:
> 
> config classification: attempted-admin,Attempted Administrator Privilege Gain,1
> config classification: successful-admin,Successful Administrator Privilege Gain,
> 1
> 
> 
> # NEW CLASSIFICATIONS
> config classification: rpc-portmap-decode,Decode of an RPC Query,1
> config classification: shellcode-detect,Executable code was detected,1
> 
> Here you can see a pattern. Barnyard logged the description from
> rpc-port-map-decode instead of successful-admin. Again, this is the
> entry following the one I am referencing.

Are Barnyard and Snort using the same classification config?  There is 
known problem with classification config entries in that the class-id 
assigned is based on the order of the entries in the file.  (Yes this 
will be fixed in the future)

Does this happen on all the rules or just your custom one?

-A







More information about the Snort-devel mailing list