[Snort-users] Best script to pre-load signature metadata into a database
elof at ...6680...
elof at ...6680...
Thu Oct 7 11:43:17 EDT 2010
On Thu, 7 Oct 2010, Joel Esler wrote:
> On Oct 7, 2010, at 10:19 AM, elof at ...6680... wrote:
>> I want to pre-load my Postgres database with all the signature metadata
>> (titles, references, prios, etc) from my rules.
>> I fould the script 'rules.pl' in an old FLoP tarball...
>> ...but if there is a script that import the Generator signatures (from
>> gen-msg.map) as well, that would be even better.
>> What am I looking for?
> I have no idea.
> If you take barnyard2 (if that outputs to postgres), and point it at your sid-msg.map file when barnyard2 starts up, it will insert all that stuff into the db when you have an alert.
> Otherwise, can you clarify what you are trying to do?
There is a bug, or rather a race condition, when you have more than one
sensor that see the same traffic.
Both sensors log the same alert.
Both barnyard2 processes ask the database: Do there already exist metadata
in the database for sid 1234?
The database check and answer No to both querys.
Both barnyard2 processes will then insert the metadata.
This results in TWO inserts for the same metadata for sid 1234, so the
next time this sid trigger an alert, Barnyard2 ask the database "Do there
already exist metadata in the database for sid 1234?", and the database
respond with TWO references. The database output module in barnyard2 can't
handle this since there must be one unique reference.
So no sid 1234 events are logged to the database, and simultaneously the
syslog is flooded with warnings about:
database: warning (SELECT sig_id FROM signature WHERE sig_name = 'SNMP
private access udp ' AND sig_rev = 13 AND sig_sid = 1413 AND
sig_gid = 1 ) returned more than one result
barnyard2: database: warning (SELECT ref_id FROM reference WHERE
ref_system_id = 1 AND ref_tag = '4088') returned more than one result
By pre-loading the database with all metadata before snort and barnyard2
is even started, this race condition should never appear, because when
both sensors ask "Do there already exist metadata in the database for sid
1234?" both answers will be Yes, and there won't be duplicate
As a positive side effect, barnyard2 will log alerts faster, since it will
never have to deal with inserting metadata before inserting the actual
What I'm looking for is the best and most updated script for inserting all
this metadata (from sid-msg.map, reference.config, classification.config
What am I looking for?
More information about the Snort-users