[Snort-users] snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Fri Aug 27 09:54:14 EDT 2010


Hi,

Found a problem where the following was returned from the snort.signature table for the following query:

SELECT sig_id,sig_name FROM snort.signature WHERE sig_name like 'snort%';

'969', 'Snort Alert [138:2:0]'
'443', 'Snort Alert [138:4:0]'
'1181', 'Snort Alert [1:13974:0]'
'1163', 'Snort Alert [1:14782:0]'
'1251', 'Snort Alert [1:15114:0]'
'1160', 'Snort Alert [1:16180:0]'
'402', 'Snort Alert [1:2402000:0]'
'420', 'Snort Alert [1:2402001:0]'
'499', 'Snort Alert [1:2402000:0]'
'549', 'Snort Alert [1:2402001:0]'
'504', 'Snort Alert [1:2406085:0]'
'531', 'Snort Alert [1:2406097:0]'
'558', 'Snort Alert [1:2406011:0]'
'628', 'Snort Alert [1:2406063:0]'
'676', 'Snort Alert [1:2406010:0]'
'498', 'Snort Alert [1:2406181:0]'
'505', 'Snort Alert [1:2406189:0]'
'601', 'Snort Alert [1:2406146:0]'
'622', 'Snort Alert [1:2406144:0]'
'625', 'Snort Alert [1:2406183:0]'
'433', 'Snort Alert [1:2406242:0]'
'529', 'Snort Alert [1:2406237:0]'
'544', 'Snort Alert [1:2406281:0]'
'576', 'Snort Alert [1:2406207:0]'
'617', 'Snort Alert [1:2406260:0]'
'666', 'Snort Alert [1:2406245:0]'
'555', 'Snort Alert [1:2406361:0]'
'564', 'Snort Alert [1:2406391:0]'
'501', 'Snort Alert [1:2406493:0]'
'568', 'Snort Alert [1:2406463:0]'
'623', 'Snort Alert [1:2406418:0]'
'624', 'Snort Alert [1:2406492:0]'
'641', 'Snort Alert [1:2406489:0]'
'503', 'Snort Alert [1:2406569:0]'
'554', 'Snort Alert [1:2406595:0]'
'570', 'Snort Alert [1:2406503:0]'
'619', 'Snort Alert [1:2406542:0]'
'643', 'Snort Alert [1:2406584:0]'
'649', 'Snort Alert [1:2406594:0]'
'661', 'Snort Alert [1:2406564:0]'
'414', 'Snort Alert [1:2406649:0]'
'415', 'Snort Alert [1:2406648:0]'
'479', 'Snort Alert [1:2406614:0]'
'516', 'Snort Alert [1:2406621:0]'
'543', 'Snort Alert [1:2406608:0]'
'574', 'Snort Alert [1:2406623:0]'
'629', 'Snort Alert [1:2406641:0]'
'630', 'Snort Alert [1:2406640:0]'
'644', 'Snort Alert [1:2406612:0]'
'668', 'Snort Alert [1:2406606:0]'
'432', 'Snort Alert [1:2500036:0]'
'435', 'Snort Alert [1:2500004:0]'
'472', 'Snort Alert [1:2500024:0]'
'473', 'Snort Alert [1:2500016:0]'
'474', 'Snort Alert [1:2500030:0]'
'494', 'Snort Alert [1:2500020:0]'
'495', 'Snort Alert [1:2500098:0]'
'552', 'Snort Alert [1:2500088:0]'
'553', 'Snort Alert [1:2500099:0]'
'559', 'Snort Alert [1:2500071:0]'
'565', 'Snort Alert [1:2500077:0]'
'566', 'Snort Alert [1:2500002:0]'
'567', 'Snort Alert [1:2500063:0]'
'581', 'Snort Alert [1:2500024:0]'
'590', 'Snort Alert [1:2500008:0]'
'616', 'Snort Alert [1:2500004:0]'
'618', 'Snort Alert [1:2500022:0]'
'652', 'Snort Alert [1:2500020:0]'
'662', 'Snort Alert [1:2500016:0]'
'667', 'Snort Alert [1:2500042:0]'
'677', 'Snort Alert [1:2500030:0]'
'416', 'Snort Alert [1:2500174:0]'
'417', 'Snort Alert [1:2500135:0]'
'477', 'Snort Alert [1:2500142:0]'
'481', 'Snort Alert [1:2500124:0]'
'483', 'Snort Alert [1:2500118:0]'
'492', 'Snort Alert [1:2500100:0]'
'493', 'Snort Alert [1:2500126:0]'
'533', 'Snort Alert [1:2500150:0]'
'550', 'Snort Alert [1:2500148:0]'
'556', 'Snort Alert [1:2500168:0]'
'571', 'Snort Alert [1:2500126:0]'
'572', 'Snort Alert [1:2500182:0]'
'573', 'Snort Alert [1:2500139:0]'
'575', 'Snort Alert [1:2500154:0]'
'586', 'Snort Alert [1:2500170:0]'
'591', 'Snort Alert [1:2500162:0]'
'592', 'Snort Alert [1:2500114:0]'
'595', 'Snort Alert [1:2500106:0]'
'596', 'Snort Alert [1:2500122:0]'
'597', 'Snort Alert [1:2500176:0]'
'609', 'Snort Alert [1:2500108:0]'
'613', 'Snort Alert [1:2500104:0]'
'614', 'Snort Alert [1:2500130:0]'
'627', 'Snort Alert [1:2500166:0]'
'632', 'Snort Alert [1:2500128:0]'
'633', 'Snort Alert [1:2500102:0]'
'634', 'Snort Alert [1:2500102:0]'
'635', 'Snort Alert [1:2500120:0]'
'639', 'Snort Alert [1:2500164:0]'
'646', 'Snort Alert [1:2500110:0]'
'475', 'Snort Alert [1:2500245:0]'
'478', 'Snort Alert [1:2500266:0]'
'496', 'Snort Alert [1:2500218:0]'
'557', 'Snort Alert [1:2500211:0]'
'594', 'Snort Alert [1:2500272:0]'
'637', 'Snort Alert [1:2500232:0]'
'638', 'Snort Alert [1:2500232:0]'
'664', 'Snort Alert [1:2500208:0]'
'665', 'Snort Alert [1:2500210:0]'
'534', 'Snort Alert [1:2520138:0]'
'377', 'Snort Alert [1:66666:0]'

Barnyard2 is suppose to insert signature names like "NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt" into sig_name of the snort.signature table correct?

So what happened? 

Better yet, how do we clean this mess up?

We think Barnyard2 is not at fault, and  the snort sid-msg.map and rules are the problem.

Are we thinking in the correct direction?

Thanks,
Larry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100827/c7f74ff7/attachment.html>


More information about the Snort-users mailing list