[Snort-devel] barnyard syslog alerting + classification skew

Chris Baker extremis at ...1566...
Sun Sep 15 12:47:01 EDT 2002


Ok ok, I forgot to answer your second question:

:: /var/log/snort/syslog
Sep 15 14:39:06 serenity barnyard: [1:349:4] FTP EXPLOIT MKD overflow [Classification: Successful Administrator Privilege Gain] [Priority: 1] {TCP} 209.113.103.3:1978 -> 24.242.237.197:21

:: ftp.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:349;  rev:4;)

:: sid-msg.map
349 || FTP EXPLOIT MKD overflow || cve,CVE-1999-0368 || bugtraq,113

:: classification.config
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1

This is from an unmodified snortrule ftp.rules. This should have
logged it as "Attempted Administrator Privilege Gain," and not
"Successful Administrator Privilege Gain."

So, to answer your question: It seems to be doing it on all rules.

On Fri, Sep 13, 2002 at 04:46:52PM -0400, Andrew R. Baker wrote:
> Delivered-To: extremis at ...1566...
> Date: Fri, 13 Sep 2002 16:46:52 -0400
> From: "Andrew R. Baker" <andrewb at ...835...>
> User-Agent: Mozilla/5.0 (X11; U; Darwin Power Macintosh; en-US; rv:1.1) Gecko/20020904
> X-Accept-Language: en-us, en
> To: extremis at ...1566...
> CC: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] barnyard syslog alerting + classification skew
> 
> Chris Baker wrote:
> >Summary:
> >
> >I'm having an issue with barnyard syslog'ing the wrong classification
> >for a custom signature (I have not tested with standard signatures
> >yet, but this has been confirmed as a problem by others.)
> >
> >Versions:
> >Snort 1.9.0beta6
> >Barnyard RC2
> >
> >Configs:
> >
> >:: local.rules
> >alert tcp any any -> any 80 (msg:"TEST blah.asp"; flags:A+; 
> >flow:to_server,estab lished; content: "/blah.asp"; nocase; 
> >classtype:successful-user; sid:50000; rev: 1;)
> >
> >:: sid-msg.map
> >50000 || BLAH blah.asp access
> >
> >:: classification.config
> >config classification: successful-user,Successful User Privilege Gain,1
> >config classification: attempted-admin,Attempted Administrator Privilege 
> >Gain,1
> >
> >Details:
> >
> >I triggered my blah.asp rule:
> >
> >Sep 13 09:13:59 serenity barnyard: [1:50000:1] BLAH blah.asp access 
> >[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
> >{TCP} 24.242.237.197:56557 -> 216.239.37.101:80
> >
> >Why am I getting "Attempted Administrator Privilege Gain?" As you can
> >tell in the classification.config, it is the classification following
> >the one I'm referencing through my rule. As a test, I changed my
> >classtype to "attempted-admin," and I got:
> >
> >Sep 13 09:14:33 serenity barnyard: [1:50000:1] BLAH blah.asp access 
> >[Classification: Decode of an RPC Query] [Priority: 1] {TCP} 
> >24.242.237.197:53894 -> 216.239
> >.51.101:80
> >
> >Looking in the classification.config one more time:
> >
> >config classification: attempted-admin,Attempted Administrator Privilege 
> >Gain,1
> >config classification: successful-admin,Successful Administrator Privilege 
> >Gain,
> >1
> >
> >
> ># NEW CLASSIFICATIONS
> >config classification: rpc-portmap-decode,Decode of an RPC Query,1
> >config classification: shellcode-detect,Executable code was detected,1
> >
> >Here you can see a pattern. Barnyard logged the description from
> >rpc-port-map-decode instead of successful-admin. Again, this is the
> >entry following the one I am referencing.
> 
> Are Barnyard and Snort using the same classification config?  There is 
> known problem with classification config entries in that the class-id 
> assigned is based on the order of the entries in the file.  (Yes this 
> will be fixed in the future)
> 
> Does this happen on all the rules or just your custom one?
> 
> -A
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020915/1d78f535/attachment.sig>


More information about the Snort-devel mailing list