[Snort-devel] barnyard syslog alerting + classification skew

Chris Baker extremis at ...1566...
Sun Sep 15 11:53:02 EDT 2002


I was hoping that this was the case, however it is not. I am currently
pointing both barnyard and snort to the same classification file.

On Fri, Sep 13, 2002 at 04:46:52PM -0400, Andrew R. Baker wrote:
> Delivered-To: extremis at ...1566...
> Date: Fri, 13 Sep 2002 16:46:52 -0400
> From: "Andrew R. Baker" <andrewb at ...835...>
> User-Agent: Mozilla/5.0 (X11; U; Darwin Power Macintosh; en-US; rv:1.1) Gecko/20020904
> X-Accept-Language: en-us, en
> To: extremis at ...1566...
> CC: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] barnyard syslog alerting + classification skew
> 
> Chris Baker wrote:
> >Summary:
> >
> >I'm having an issue with barnyard syslog'ing the wrong classification
> >for a custom signature (I have not tested with standard signatures
> >yet, but this has been confirmed as a problem by others.)
> >
> >Versions:
> >Snort 1.9.0beta6
> >Barnyard RC2
> >
> >Configs:
> >
> >:: local.rules
> >alert tcp any any -> any 80 (msg:"TEST blah.asp"; flags:A+; 
> >flow:to_server,estab lished; content: "/blah.asp"; nocase; 
> >classtype:successful-user; sid:50000; rev: 1;)
> >
> >:: sid-msg.map
> >50000 || BLAH blah.asp access
> >
> >:: classification.config
> >config classification: successful-user,Successful User Privilege Gain,1
> >config classification: attempted-admin,Attempted Administrator Privilege 
> >Gain,1
> >
> >Details:
> >
> >I triggered my blah.asp rule:
> >
> >Sep 13 09:13:59 serenity barnyard: [1:50000:1] BLAH blah.asp access 
> >[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
> >{TCP} 24.242.237.197:56557 -> 216.239.37.101:80
> >
> >Why am I getting "Attempted Administrator Privilege Gain?" As you can
> >tell in the classification.config, it is the classification following
> >the one I'm referencing through my rule. As a test, I changed my
> >classtype to "attempted-admin," and I got:
> >
> >Sep 13 09:14:33 serenity barnyard: [1:50000:1] BLAH blah.asp access 
> >[Classification: Decode of an RPC Query] [Priority: 1] {TCP} 
> >24.242.237.197:53894 -> 216.239
> >.51.101:80
> >
> >Looking in the classification.config one more time:
> >
> >config classification: attempted-admin,Attempted Administrator Privilege 
> >Gain,1
> >config classification: successful-admin,Successful Administrator Privilege 
> >Gain,
> >1
> >
> >
> ># NEW CLASSIFICATIONS
> >config classification: rpc-portmap-decode,Decode of an RPC Query,1
> >config classification: shellcode-detect,Executable code was detected,1
> >
> >Here you can see a pattern. Barnyard logged the description from
> >rpc-port-map-decode instead of successful-admin. Again, this is the
> >entry following the one I am referencing.
> 
> Are Barnyard and Snort using the same classification config?  There is 
> known problem with classification config entries in that the class-id 
> assigned is based on the order of the entries in the file.  (Yes this 
> will be fixed in the future)
> 
> Does this happen on all the rules or just your custom one?
> 
> -A
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020915/0abcb07c/attachment.sig>


More information about the Snort-devel mailing list