[Snort-users] Snort, Barnyard2 and Snorby alert classification mismatch

hanx hi hanxhi at ...6283...
Wed Jan 16 08:14:23 EST 2013


Hi everyone, I have this issue, maybe someone can help.

I'm running Snort 2.9.4 along with Barnyard2 2.1.9 and Snorby 2.5.4 as a frontend. My problems is
that I cannot match any snort rule classification with Snorby severity.

For example, I have this rule in Snort:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP login attempt"; flow:established,to_client; content:"530 "; depth:4; metadata:policy security-ips alert; reference:url,www.ietf.org/rfc/rfc0959.txt; sid:13360; rev:3; priority:10;)

As you can see, at the end of a line I assign a priority of 10 to that rule; when I trigger
the rule, by entering a wrong password to an ftp server, the alert log shows this:

01/15-16:51:10.580376  [**] [1:13360:3] POLICY failed FTP login attempt [**] [Priority: 10] {TCP} 192.3.3.11:21 -> 192.3.3.225:64730

We can see that the priority 10 was there. But I have Snort configured also to write the alerts
to unified2; then Barnyard pools the data there and writes them to a database. Later on, Snorby (the frontend), shows the data that is stored on that table, in a fancy style...

When I check the same alert on Snorby, the severity of that alert is set to 3, wich means is a low
priority alert. Of course I want to change that, but any modification that I made on Snort priority
doesn't show up on Snorby.

As Snorby only shows the data written on the database, I checked what was written for that alert:

mysql> select sid,cid,signature,timestamp,id,sig_priority,sig_name from events_with_join order by timestamp desc limit 2;
+-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+
| sid | cid            | signature | timestamp                   | id   | sig_priority | sig_name                                           |
+-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+
|   1 | 2563231 |        32 | 2013-01-16 10:01:10 | 1558 |            3      | POLICY failed FTP login attempt                    |

So, it seems that Barnyard2, responsible for taking the data from the unified archive and writing to the database is (?)
assigning a sig_priority of 3, which is not correct.

Perhaps someone has the same issue and can enlighten me...

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130116/9887f30f/attachment.html>


More information about the Snort-users mailing list