[Snort-users] snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Fri Aug 27 10:42:07 EDT 2010


JJ,

The sid-msg.map is the one downloaded with new rules, don't they update that file?

Thanks,
Larry

  ----- Original Message ----- 
  From: JJC 
  To: Lawrence R. Hughes, Sr. 
  Cc: snort-users at lists.sourceforge.net 
  Sent: Friday, August 27, 2010 10:32 AM
  Subject: Re: [Snort-users] snort 2.8.6.1 / barnyard2 2-1.8 (unified2) problem


  You need to update your sid-msg map so that it has all of the meta information for those SIDs.  You then need to (re)start barnyard2 so that it inserts the correct information from that point forward.  Of course that doesn't fix the existing data in the database.  To fix that you will need to either built a tool that will go back and update the entries with the meta information or you will want to delete the data and restart barnyard2 telling it to read and insert the old unified data.


  JJC


  On Fri, Aug 27, 2010 at 7:54 AM, Lawrence R. Hughes, Sr. <lhughes at ...14895...2...> wrote:

    Hi,

    Found a problem where the following was returned from the snort.signature table for the following query:

    SELECT sig_id,sig_name FROM snort.signature WHERE sig_name like 'snort%';

    '969', 'Snort Alert [138:2:0]'
    '443', 'Snort Alert [138:4:0]'
    '1181', 'Snort Alert [1:13974:0]'
    '1163', 'Snort Alert [1:14782:0]'
    '1251', 'Snort Alert [1:15114:0]'
    '1160', 'Snort Alert [1:16180:0]'
    '402', 'Snort Alert [1:2402000:0]'
    '420', 'Snort Alert [1:2402001:0]'
    '499', 'Snort Alert [1:2402000:0]'
    '549', 'Snort Alert [1:2402001:0]'
    '504', 'Snort Alert [1:2406085:0]'
    '531', 'Snort Alert [1:2406097:0]'
    '558', 'Snort Alert [1:2406011:0]'
    '628', 'Snort Alert [1:2406063:0]'
    '676', 'Snort Alert [1:2406010:0]'
    '498', 'Snort Alert [1:2406181:0]'
    '505', 'Snort Alert [1:2406189:0]'
    '601', 'Snort Alert [1:2406146:0]'
    '622', 'Snort Alert [1:2406144:0]'
    '625', 'Snort Alert [1:2406183:0]'
    '433', 'Snort Alert [1:2406242:0]'
    '529', 'Snort Alert [1:2406237:0]'
    '544', 'Snort Alert [1:2406281:0]'
    '576', 'Snort Alert [1:2406207:0]'
    '617', 'Snort Alert [1:2406260:0]'
    '666', 'Snort Alert [1:2406245:0]'
    '555', 'Snort Alert [1:2406361:0]'
    '564', 'Snort Alert [1:2406391:0]'
    '501', 'Snort Alert [1:2406493:0]'
    '568', 'Snort Alert [1:2406463:0]'
    '623', 'Snort Alert [1:2406418:0]'
    '624', 'Snort Alert [1:2406492:0]'
    '641', 'Snort Alert [1:2406489:0]'
    '503', 'Snort Alert [1:2406569:0]'
    '554', 'Snort Alert [1:2406595:0]'
    '570', 'Snort Alert [1:2406503:0]'
    '619', 'Snort Alert [1:2406542:0]'
    '643', 'Snort Alert [1:2406584:0]'
    '649', 'Snort Alert [1:2406594:0]'
    '661', 'Snort Alert [1:2406564:0]'
    '414', 'Snort Alert [1:2406649:0]'
    '415', 'Snort Alert [1:2406648:0]'
    '479', 'Snort Alert [1:2406614:0]'
    '516', 'Snort Alert [1:2406621:0]'
    '543', 'Snort Alert [1:2406608:0]'
    '574', 'Snort Alert [1:2406623:0]'
    '629', 'Snort Alert [1:2406641:0]'
    '630', 'Snort Alert [1:2406640:0]'
    '644', 'Snort Alert [1:2406612:0]'
    '668', 'Snort Alert [1:2406606:0]'
    '432', 'Snort Alert [1:2500036:0]'
    '435', 'Snort Alert [1:2500004:0]'
    '472', 'Snort Alert [1:2500024:0]'
    '473', 'Snort Alert [1:2500016:0]'
    '474', 'Snort Alert [1:2500030:0]'
    '494', 'Snort Alert [1:2500020:0]'
    '495', 'Snort Alert [1:2500098:0]'
    '552', 'Snort Alert [1:2500088:0]'
    '553', 'Snort Alert [1:2500099:0]'
    '559', 'Snort Alert [1:2500071:0]'
    '565', 'Snort Alert [1:2500077:0]'
    '566', 'Snort Alert [1:2500002:0]'
    '567', 'Snort Alert [1:2500063:0]'
    '581', 'Snort Alert [1:2500024:0]'
    '590', 'Snort Alert [1:2500008:0]'
    '616', 'Snort Alert [1:2500004:0]'
    '618', 'Snort Alert [1:2500022:0]'
    '652', 'Snort Alert [1:2500020:0]'
    '662', 'Snort Alert [1:2500016:0]'
    '667', 'Snort Alert [1:2500042:0]'
    '677', 'Snort Alert [1:2500030:0]'
    '416', 'Snort Alert [1:2500174:0]'
    '417', 'Snort Alert [1:2500135:0]'
    '477', 'Snort Alert [1:2500142:0]'
    '481', 'Snort Alert [1:2500124:0]'
    '483', 'Snort Alert [1:2500118:0]'
    '492', 'Snort Alert [1:2500100:0]'
    '493', 'Snort Alert [1:2500126:0]'
    '533', 'Snort Alert [1:2500150:0]'
    '550', 'Snort Alert [1:2500148:0]'
    '556', 'Snort Alert [1:2500168:0]'
    '571', 'Snort Alert [1:2500126:0]'
    '572', 'Snort Alert [1:2500182:0]'
    '573', 'Snort Alert [1:2500139:0]'
    '575', 'Snort Alert [1:2500154:0]'
    '586', 'Snort Alert [1:2500170:0]'
    '591', 'Snort Alert [1:2500162:0]'
    '592', 'Snort Alert [1:2500114:0]'
    '595', 'Snort Alert [1:2500106:0]'
    '596', 'Snort Alert [1:2500122:0]'
    '597', 'Snort Alert [1:2500176:0]'
    '609', 'Snort Alert [1:2500108:0]'
    '613', 'Snort Alert [1:2500104:0]'
    '614', 'Snort Alert [1:2500130:0]'
    '627', 'Snort Alert [1:2500166:0]'
    '632', 'Snort Alert [1:2500128:0]'
    '633', 'Snort Alert [1:2500102:0]'
    '634', 'Snort Alert [1:2500102:0]'
    '635', 'Snort Alert [1:2500120:0]'
    '639', 'Snort Alert [1:2500164:0]'
    '646', 'Snort Alert [1:2500110:0]'
    '475', 'Snort Alert [1:2500245:0]'
    '478', 'Snort Alert [1:2500266:0]'
    '496', 'Snort Alert [1:2500218:0]'
    '557', 'Snort Alert [1:2500211:0]'
    '594', 'Snort Alert [1:2500272:0]'
    '637', 'Snort Alert [1:2500232:0]'
    '638', 'Snort Alert [1:2500232:0]'
    '664', 'Snort Alert [1:2500208:0]'
    '665', 'Snort Alert [1:2500210:0]'
    '534', 'Snort Alert [1:2520138:0]'
    '377', 'Snort Alert [1:66666:0]'

    Barnyard2 is suppose to insert signature names like "NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt" into sig_name of the snort.signature table correct?

    So what happened? 

    Better yet, how do we clean this mess up?

    We think Barnyard2 is not at fault, and  the snort sid-msg.map and rules are the problem.

    Are we thinking in the correct direction?

    Thanks,
    Larry


    ------------------------------------------------------------------------------
    Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
    Be part of this innovative community and reach millions of netbook users
    worldwide. Take advantage of special opportunities to increase revenue and
    speed time-to-market. Join now, and jumpstart your future.
    http://p.sf.net/sfu/intel-atom-d2d
    _______________________________________________
    Snort-users mailing list
    Snort-users at lists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100827/8390167b/attachment.html>


More information about the Snort-users mailing list