[Snort-users] snort barnyard2 unified2 classification_id

Lawrence R. Hughes, Sr. lhughes at ...14822...
Thu Sep 2 14:35:42 EDT 2010


I have noticed that snort populates the 32 bit field for the classification id in it's unified2 output, but barnyard2 never inserts the classification id into the database?

Below is a snapshot from our mysql.log of all transactions between barnyard2 and mysql:

554 Query BEGIN

554 Query SELECT sig_id FROM signature WHERE sig_name = 'POLICY RDP attempted administrator connection request ' AND sig_rev = 4 AND sig_sid = 4060 AND sig_gid = 1

554 Query INSERT INTO event (sid,cid,signature,timestamp) VALUES (1, 8033026, 151, '2010-09-02 13:19:47')

554 Query INSERT INTO tcphdr (sid, cid, tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_csum, tcp_urp) VALUES (1,8033026,2485,3389,2993058147,3596227729,5,0,24,64240,13925,0)

554 Query INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_proto, ip_csum) VALUES (1,8033026,1610675175,1113420664,4,5,32,83,9580,0,0,51,6,6236)

554 Query INSERT INTO data (sid,cid,data_payload) VALUES (1,8033026,'0300002B26E00000000000436F6F6B69653A206D737473686173683D61646D696E6973747261746F720D0A')

554 Query COMMIT

So how does base know the class_id?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100902/6e798418/attachment.html>

More information about the Snort-users mailing list