[Snort-users] Snort frustration

Humes, David G. David.Humes at ...383...
Fri Jun 2 12:50:33 EDT 2006


We saw this before using Barnyard, but to answer the question - 

1.  After adding or changing rules, I restart barnyard (followed by
snort) using a script that calls the create-sidmap.pl script supplied
with barnyard.  

2.  create-sidmap.pl drops the updated sig-msg.map file into
/etc/snort/rules

3.  The barnyard.conf file loads the sid-msg.map file from the same
directory.
config sid-msg-map:     /etc/snort/rules/sid-msg.map

So, yes, I am confident that barnyard is reading the correct file.

--Dave

> -----Original Message-----
> From: Joel Esler [mailto:joel.esler at ...1935...] 
> Sent: Friday, June 02, 2006 12:37 PM
> To: Humes, David G.
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort frustration
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Are you sure barnyard is reading the properly updated 
> sig-msg.map file?
> 
> Joel
> 
> Humes, David G. wrote:
> > I added this rule to look for Google Desktop traffic.
> > 
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Google 
> > Desktop User-Agent detected"; flow:established,to_server; 
> content:"GET 
> > "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Mozilla/4.0 
> > (compatible\; Google Desktop)"; nocase; threshold:type limit,track 
> > by_src, count 1,seconds 300; classtype:policy-violation; 
> sid:8001018;
> > rev:1;)
> > 
> > And it appears to have fired on this packet.
> > 
> > Generated by BASE v1.2.4 (melissa) on Fri,  2 Jun 2006 
> 12:14:38 -0400
> > 
> > 
> ----------------------------------------------------------------------
> > --
> > ------
> > #(1 - 3031457) [2006-06-02 11:46:34] [local/8001018] [snort/8001018]
> > Google Desktop User-Agent detected
> > IPv4: 192.168.1.100 -> 216.239.39.99
> >       hlen=5 TOS=0 dlen=83 ID=9124 flags=2 offset=0 TTL=126 
> chksum=65404
> > TCP:  port=2181 -> dport: 80  flags=***AP*** seq=395991789
> >       ack=781565658 off=5 res=0 win=65535 urp=0 chksum=64289
> > Payload:  length = 43
> > 
> > 000 : 47 45 54 20 2F 64 73 6E 65 77 73 3F 6A 3D 36 26   GET 
> /dsnews?j=6&
> > 010 : 68 6C 3D 65 6E 26 65 64 3D 63 6F 6D 26 76 3D 32   
> hl=en&ed=com&v=2
> > 020 : 20 48 54 54 50 2F 31 2E 31 0D 0A                   HTTP/1.1..
> > 
> > This is a continual frustration, where a rule fires and the payload 
> > does not match.  Most of the time, the payload does match.  
> But, it's 
> > not hard to find instances like the one above.  Can anyone 
> offer some 
> > reasons why this may be occurring and what can be done to 
> correct the 
> > problem.  Was there some payload that really did match and 
> it's just 
> > showing the wrong payload?  Or did the detection engine 
> just mess up?
> > 
> > We're running Version 2.4.3 (Build 26), but this problem 
> has been with 
> > us through two generations of Snort senors and numerous 
> versions.  We 
> > use Barnyard and unified logging, but the problem was seen 
> before we 
> > implemented Baryard.  Any help would be greatly appreciated.
> > 
> > -Dave
> > 
> > 
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> - --
> +-------------------------------------------------------------
> --------+
> Joel Esler  	     Senior Security Consultant 	1-706-627-2101
> Sourcefire    Security for the /Real/ World -- 
> http://www.sourcefire.com
> Snort - Open Source Network IPS/IDS 
> -- http://www.snort.org
> GPG Key http://demo.sourcefire.com/jesler.pgp.key
> +-------------------------------------------------------------
> --------+
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFEgGkTKbCSyXHckt4RAqd9AKCB/mUcfnHuO4ld9pixNt6bvNhA/ACfVLoA
> IIem+mi7P5/SHmGcGheDoKk=
> =8Eua
> -----END PGP SIGNATURE-----
> 




More information about the Snort-users mailing list