[Snort-users] Re: reference tags: snort, bleeding sigs, database plugin,MySQL, BASE, somebody!

Kevin Johnson kjohnson at ...12400...
Sat Aug 6 12:02:20 EDT 2005

On Wed, 2005-08-03 at 22:22 -0400, Jeff Kell wrote:
> This may very well be a "known problem" or "not a bug, it's a feature", but I thought I would point out this little annoyance...
> Using the above combination, the resulting BASE alert displays the message text from the rule, and prefixes it with URL links for the reference tags (url, buqtraq, cve, etc).  However, many of them are *NOT* properly linked with URL links, only the reference type "word" and no link.
> For example (using text, not pasting html, so bear with me), the bleeding-sig 2000900, which I'll twist around so the exact spacing of the reference tags are clear:

... snip ... 

> This is rendered in BASE with:
> > [url] url url[snort] BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDP
> Only the first [url] is really a hyperlink.  The other two urls are, well, just the word url.  The rendered html from BASE shows:

... snip ... 

> Apparently the reference: tags are pushed out in the opposite order they appear in the rule, but I don't care what order they come in.  I just want the hyperlinks to survive intact - the 'url' words without a real hyperlink also drop any semblance of the original reference.
> What appears to cause this is the presence or absence of a space between the "reference:" in the rule and the reference type.  e.g., 'reference:url,www.foo.bar' works, 'reference: url,www.foo.bar' fails.
> So I'm not sure who is at fault here :-)  It shows up in BASE.  But the underlying alert database is also at fault -- we find the reference types appear twice(!) -- once with a leading space, once without:

... snip ... 

> Could this be the database plugin?  The sid-message.map file is consistent, so posting to the database via Barnyard might not have this behavior (I don't know, I don't have barnyard).
> Could this be snort parsing the reference tags in the rule differently?  I don't feel up to source digging at the moment so that one will be left as an exercise for the reader (or a comment from sourcefire :-) ).
> The easy fix is to blame bleedingsnort for the occasional space after the reference: tag (which sourcefire doesn't appear to have), but this could wreak havoc on existing databases and archives.  Doesn't particularly bother me, but might bother someone else.
> Comments?  
> Jeff


I am not sure who to blame either... I think the rule parser should
probably handle this but we should be displaying it correctly.  I have
checked a simple fix into CVS and it will be part of BASE 1.1.4 which
should be released soon.  I would greatly appreciate any testing of the
fix you would be willing to do for us.

BASE Project Lead
The next step in IDS analysis!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050806/e73ed1db/attachment.sig>

More information about the Snort-users mailing list