[Snort-users] snort 2.8.6.1/base/ barnyard2 unified2 classification_id

Lawrence R. Hughes, Sr. lhughes at ...14822...
Thu Sep 2 17:52:36 EDT 2010


Hi Paul,

Thanks for your reply, going on your description:

paul> The classification id is "embedded" in the db already.  Each active 
signature
paul> is registered with its class_id when it's read into snort during 
startup.  When
paul> a signature triggers, its sig_name ties to all the other values.

I cleared my mysql.log, started barnyard2 then snort.

I checked the mysql.log and it did not show where barnyard did anything you 
mentioned above at startup.


Thanks,
Larry



----- Original Message ----- 
From: "Paul Schmehl" <pschmehl_lists at ...14358...>
To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>; 
<snort-users at lists.sourceforge.net>
Sent: Thursday, September 02, 2010 5:20 PM
Subject: Re: [Snort-users] snort 2.8.6.1/base/ barnyard2 unified2 
classification_id


> --On Thursday, September 02, 2010 14:35:42 -0400 "Lawrence R. Hughes, Sr." 
> <lhughes at ...14822...> wrote:
>
>>
>> Hi,
>>
>> I have noticed that snort populates the 32 bit field for the 
>> classification
>> id in it's unified2 output, but barnyard2 never inserts the 
>> classification id
>> into the database?
>>
> [snipped details]
>>
>> So how does base know the class_id?
>>
>
> The classification id is "embedded" in the db already.  Each active 
> signature is registered with its class_id when it's read into snort during 
> startup.  When a signature triggers, its sig_name ties to all the other 
> values.
>
> mysql> describe sig_class;
> +----------------+------------------+------+-----+---------+----------------+
> | Field          | Type             | Null | Key | Default | Extra 
> |
> +----------------+------------------+------+-----+---------+----------------+
> | sig_class_id   | int(10) unsigned | NO   | PRI | NULL    | 
> auto_increment |
> | sig_class_name | varchar(60)      | NO   | MUL | NULL    | 
> |
> +----------------+------------------+------+-----+---------+----------------+
> 2 rows in set (0.02 sec)
>
> mysql> describe signature;
> +--------------+------------------+------+-----+---------+----------------+
> | Field        | Type             | Null | Key | Default | Extra 
> |
> +--------------+------------------+------+-----+---------+----------------+
> | sig_id       | int(10) unsigned | NO   | PRI | NULL    | auto_increment 
> |
> | sig_name     | varchar(255)     | NO   | MUL | NULL    | 
> |
> | sig_class_id | int(10) unsigned | NO   | MUL | NULL    | 
> |
> | sig_priority | int(10) unsigned | YES  |     | NULL    | 
> |
> | sig_rev      | int(10) unsigned | YES  |     | NULL    | 
> |
> | sig_sid      | int(10) unsigned | YES  |     | NULL    | 
> |
> | sig_gid      | int(10) unsigned | YES  |     | NULL    | 
> |
> +--------------+------------------+------+-----+---------+----------------+
> 7 rows in set (0.00 sec)
>
> mysql> select * from sig_class limit 25;
> +--------------+--------------------------+
> | sig_class_id | sig_class_name           |
> +--------------+--------------------------+
> |            1 | trojan-activity          |
> |            2 | misc-activity            |
> |            3 | non-standard-protocol    |
> |            4 | bad-unknown              |
> |            5 | web-application-attack   |
> |            6 | attempted-admin          |
> |            7 | attempted-recon          |
> |            8 | web-application-activity |
> |            9 | successful-recon-limited |
> |           10 | attempted-dos            |
> |           11 | policy-violation         |
> |           12 | rpc-portmap-decode       |
> |           13 | protocol-command-decode  |
> |           14 | string-detect            |
> |           15 | misc-attack              |
> |           16 | shellcode-detect         |
> |           17 | successful-admin         |
> +--------------+--------------------------+
> 17 rows in set (0.00 sec)
>
> mysql> select count(sig_name) from signature;
> +-----------------+
> | count(sig_name) |
> +-----------------+
> |             685 |
> +-----------------+
> 1 row in set (0.00 sec)
>
> mysql> select sig_name, sig_class_id from signature where sig_name like 
> '%et trojan%' limit 5;
> +-------------------------------------------------------------+--------------+
> | sig_name                                                    | 
> sig_class_id |
> +-------------------------------------------------------------+--------------+
> | "ET TROJAN Torpig Reporting User Activity (wur8)"           | 
> 1 |
> | "ET TROJAN Torpig Reporting User Activity (x25)"            | 
> 1 |
> | "ET TROJAN Torpig Infection Reporting"                      | 
> 1 |
> | "ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo or Similar" | 
> 1 |
> | "ET TROJAN Torpig Infection Reporting"                      | 
> 1 |
> +-------------------------------------------------------------+--------------+
> 5 rows in set (0.00 sec)
>
> mysql> select sig_id, signature.sig_class_id, sig_name from signature, 
> sig_class where signature.sig_class_id=sig_class.sig_class_id and sig_name 
> like '%et trojan%' limit 5;
> +--------+--------------+-------------------------------------------------------------+
> | sig_id | sig_class_id | sig_name |
> +--------+--------------+-------------------------------------------------------------+
> |    304 |            1 | "ET TROJAN Torpig Reporting User Activity 
> (wur8)" |
> |    305 |            1 | "ET TROJAN Torpig Reporting User Activity (x25)" 
> |
> |    306 |            1 | "ET TROJAN Torpig Infection Reporting" |
> |    309 |            1 | "ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo 
> or Similar" |
> |    338 |            1 | "ET TROJAN Torpig Infection Reporting" |
> +--------+--------------+-------------------------------------------------------------+
> 5 rows in set (0.00 sec)
>
> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> 





More information about the Snort-users mailing list