[Snort-users] Barnyard: classification off by one?

Dragos Ruiu dr at ...381...
Sat Oct 5 23:27:02 EDT 2002


Classification config is hardwired into cerebus 1.4 - the upcoming release 
will enhance that but you should not use that as authoritative because 
that is a just pre-1.9snapshot of that layout and probably subject to change.
However you can use the output mode of cerebus... or the text dump output 
mode of the logtopcap util at http://dragos.com/cerebus/logtopcap.c (which
will also let you dump both alert and log files) to see in human readable
format what snort recorded in the output files in for the priority field
numerically - which should be unambiguous.

cheers,
--dr

On October 5, 2002 10:26 pm, Michael Scheidell wrote:
> this is where change logs, and server configuration logs should be required
> (by me!)
> Three systems, identical (well, obviously not!)
> Two systems show classification next that is NOT the same as was requested
> md5 checksums on barnyard and classification.config are exact.
> md5 checksums on snort are exact.
>
> even cerebus shows it off by one when it reads the barnyard file.
>
> what and where and how does snort send that info to barnyard?
> does it send it an 'index' number? after reading the sid-map file?
> I guess there could be problem if that 'index' number changed, ie a new
> sid-msg file, right?
>
> in fast.alert plugin for barnyard,
> Version 0.1.0-rc2 (Build 11)
> using released snort 1.9.0
>
> old barnyard/snort ok: (do i keep a 'change log'?) ;-)
> I kept pretty much up with beta's and rcs (except for snort 1.9)
> (these put in to show it DID work at one time...) these are ok:
> ------------------------------------------------------------------------
> 08/11/02-18:23:39.755831  {TCP} 64.242.39.222:4222 -> 10.1.1.10:80
> [**] [1:1243:6] WEB-IIS ISAPI .ida attempt [**]
> [Classification: Web Application Attack] [Priority: 1]
> [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]
> [Xref => http://www.securityfocus.com/bid/1065]
> [Xref => http://www.whitehats.com/info/IDS552]
>
> started when I downloaded and installed (something?)
>
> ------------------------------------------------------------------------
> 08/11/02-22:17:03.263577  {TCP} 216.150.161.14:1588 -> 10.1.1.10:80
> [**] [1:1256:6] WEB-IIS CodeRed v2 root.exe access [**]
> [Classification: Misc activity] [Priority: 1]
> [Xref => http://www.cert.org/advisories/CA-2001-19.html]
>
> (should be web-application-attack)
>
> and in classification.config file, the reported classification is one below
> the real one.
>
> config classification: web-application-attack,Web Application Attack,1
> config classification: misc-activity,Misc activity,3
>
> these are ALL off by one:
> in fact, since 8/11, every one was off by one.
>
>  (note: using DEFAULT classification.config and rules!, with the exception
> of the off colour porn rulz one.)
>
> 09/26/02-12:46:49.526011  {TCP} 207.68.171.247:80 -> 10.1.1.112:1083
> [**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
> [Classification: A suspicious string was detected] [Priority: 1]
>
> 10/04/02-22:28:28.070771  {TCP} 207.18.92.26:1392 -> 208.237.120.134:80
> [**] [1:1002:5] WEB-IIS cmd.exe access [**]
> [Classification: Misc activity] [Priority: 1]
>
> ------------------------------------------------------------------------
> 10/05/02-16:07:05.052871  {TCP} 207.46.249.61:80 -> 208.237.120.135:2280
> [**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
> [Classification: A suspicious string was detected] [Priority: 1]
>
> ------------------------------------------------------------------------
> 10/05/02-19:51:14.170117  {TCP} 207.68.132.10:80 -> 208.237.120.131:3667
> [**] [1:649:5] SHELLCODE x86 setgid 0 [**]
> [Classification: A TCP connection was detected] [Priority: 2]
> [Xref => http://www.whitehats.com/info/IDS284]
>
> Michael Scheidell
> SECNAP Network Security, LLC
> Sales: 866-SECNAPNET / (1-866-732-6276)
> Main: 561-368-9561 / www.secnap.net
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
dr at ...381...   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002





More information about the Snort-users mailing list