[Snort-users] snort 2.8.6.1/base/ barnyard2 unified2 classification_id

Paul Schmehl pschmehl_lists at ...14358...
Thu Sep 2 17:20:36 EDT 2010


--On Thursday, September 02, 2010 14:35:42 -0400 "Lawrence R. Hughes, Sr." 
<lhughes at ...14822...> wrote:

>
> Hi,
>
> I have noticed that snort populates the 32 bit field for the classification
> id in it's unified2 output, but barnyard2 never inserts the classification id
> into the database?
>
[snipped details]
>
> So how does base know the class_id?
>

The classification id is "embedded" in the db already.  Each active signature 
is registered with its class_id when it's read into snort during startup.  When 
a signature triggers, its sig_name ties to all the other values.

mysql> describe sig_class;
+----------------+------------------+------+-----+---------+----------------+
| Field          | Type             | Null | Key | Default | Extra          |
+----------------+------------------+------+-----+---------+----------------+
| sig_class_id   | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
| sig_class_name | varchar(60)      | NO   | MUL | NULL    |                |
+----------------+------------------+------+-----+---------+----------------+
2 rows in set (0.02 sec)

mysql> describe signature;
+--------------+------------------+------+-----+---------+----------------+
| Field        | Type             | Null | Key | Default | Extra          |
+--------------+------------------+------+-----+---------+----------------+
| sig_id       | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
| sig_name     | varchar(255)     | NO   | MUL | NULL    |                |
| sig_class_id | int(10) unsigned | NO   | MUL | NULL    |                |
| sig_priority | int(10) unsigned | YES  |     | NULL    |                |
| sig_rev      | int(10) unsigned | YES  |     | NULL    |                |
| sig_sid      | int(10) unsigned | YES  |     | NULL    |                |
| sig_gid      | int(10) unsigned | YES  |     | NULL    |                |
+--------------+------------------+------+-----+---------+----------------+
7 rows in set (0.00 sec)

mysql> select * from sig_class limit 25;
+--------------+--------------------------+
| sig_class_id | sig_class_name           |
+--------------+--------------------------+
|            1 | trojan-activity          |
|            2 | misc-activity            |
|            3 | non-standard-protocol    |
|            4 | bad-unknown              |
|            5 | web-application-attack   |
|            6 | attempted-admin          |
|            7 | attempted-recon          |
|            8 | web-application-activity |
|            9 | successful-recon-limited |
|           10 | attempted-dos            |
|           11 | policy-violation         |
|           12 | rpc-portmap-decode       |
|           13 | protocol-command-decode  |
|           14 | string-detect            |
|           15 | misc-attack              |
|           16 | shellcode-detect         |
|           17 | successful-admin         |
+--------------+--------------------------+
17 rows in set (0.00 sec)

mysql> select count(sig_name) from signature;
+-----------------+
| count(sig_name) |
+-----------------+
|             685 |
+-----------------+
1 row in set (0.00 sec)

mysql> select sig_name, sig_class_id from signature where sig_name like '%et 
trojan%' limit 5;
+-------------------------------------------------------------+--------------+
| sig_name                                                    | sig_class_id |
+-------------------------------------------------------------+--------------+
| "ET TROJAN Torpig Reporting User Activity (wur8)"           |            1 |
| "ET TROJAN Torpig Reporting User Activity (x25)"            |            1 |
| "ET TROJAN Torpig Infection Reporting"                      |            1 |
| "ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo or Similar" |            1 |
| "ET TROJAN Torpig Infection Reporting"                      |            1 |
+-------------------------------------------------------------+--------------+
5 rows in set (0.00 sec)

mysql> select sig_id, signature.sig_class_id, sig_name from signature, 
sig_class where signature.sig_class_id=sig_class.sig_class_id and sig_name like 
'%et trojan%' limit 5;
+--------+--------------+-------------------------------------------------------------+
| sig_id | sig_class_id | sig_name 
|
+--------+--------------+-------------------------------------------------------------+
|    304 |            1 | "ET TROJAN Torpig Reporting User Activity (wur8)" 
|
|    305 |            1 | "ET TROJAN Torpig Reporting User Activity (x25)" 
|
|    306 |            1 | "ET TROJAN Torpig Infection Reporting" 
|
|    309 |            1 | "ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo or 
Similar" |
|    338 |            1 | "ET TROJAN Torpig Infection Reporting" 
|
+--------+--------------+-------------------------------------------------------------+
5 rows in set (0.00 sec)

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-users mailing list