[Snort-users] Barnyard: classification off by one?

Michael Scheidell scheidell at ...5171...
Sat Oct 5 15:27:03 EDT 2002


this is where change logs, and server configuration logs should be required
(by me!)
Three systems, identical (well, obviously not!)
Two systems show classification next that is NOT the same as was requested
md5 checksums on barnyard and classification.config are exact.
md5 checksums on snort are exact.

even cerebus shows it off by one when it reads the barnyard file.

what and where and how does snort send that info to barnyard?
does it send it an 'index' number? after reading the sid-map file?
I guess there could be problem if that 'index' number changed, ie a new
sid-msg file, right?

in fast.alert plugin for barnyard,
Version 0.1.0-rc2 (Build 11)
using released snort 1.9.0

old barnyard/snort ok: (do i keep a 'change log'?) ;-)
I kept pretty much up with beta's and rcs (except for snort 1.9)
(these put in to show it DID work at one time...) these are ok:
------------------------------------------------------------------------
08/11/02-18:23:39.755831  {TCP} 64.242.39.222:4222 -> 10.1.1.10:80
[**] [1:1243:6] WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]
[Xref => http://www.securityfocus.com/bid/1065]
[Xref => http://www.whitehats.com/info/IDS552]

started when I downloaded and installed (something?)

------------------------------------------------------------------------
08/11/02-22:17:03.263577  {TCP} 216.150.161.14:1588 -> 10.1.1.10:80
[**] [1:1256:6] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Misc activity] [Priority: 1]
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

(should be web-application-attack)

and in classification.config file, the reported classification is one below
the real one.

config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3

these are ALL off by one:
in fact, since 8/11, every one was off by one.

 (note: using DEFAULT classification.config and rules!, with the exception
of the off colour porn rulz one.)

09/26/02-12:46:49.526011  {TCP} 207.68.171.247:80 -> 10.1.1.112:1083
[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: A suspicious string was detected] [Priority: 1]

10/04/02-22:28:28.070771  {TCP} 207.18.92.26:1392 -> 208.237.120.134:80
[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Misc activity] [Priority: 1]

------------------------------------------------------------------------
10/05/02-16:07:05.052871  {TCP} 207.46.249.61:80 -> 208.237.120.135:2280
[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: A suspicious string was detected] [Priority: 1]

------------------------------------------------------------------------
10/05/02-19:51:14.170117  {TCP} 207.68.132.10:80 -> 208.237.120.131:3667
[**] [1:649:5] SHELLCODE x86 setgid 0 [**]
[Classification: A TCP connection was detected] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS284]

Michael Scheidell
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net






More information about the Snort-users mailing list