[Snort-users] Snort, Barnyard2 and Snorby alert classification mismatch

beenph beenph at ...11827...
Wed Jan 16 08:40:28 EST 2013


Forgot to say that you could also update the priority manually with a
UPDATE statement.

-elz


On Wed, Jan 16, 2013 at 8:37 AM, beenph <beenph at ...11827...> wrote:
> On Wed, Jan 16, 2013 at 8:14 AM, hanx hi <hanxhi at ...6283...> wrote:
>> Hi everyone, I have this issue, maybe someone can help.
>>
>> I'm running Snort 2.9.4 along with Barnyard2 2.1.9 and Snorby 2.5.4 as a
>> frontend. My problems is
>> that I cannot match any snort rule classification with Snorby severity.
>>
> Hi Hanx Hi,
>
> First i would suggest that you update to latest barnyard2
> (www.github.com/firnsy/barnyard2)
>
>> For example, I have this rule in Snort:
>>
>> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP login
>> attempt"; flow:established,to_client; content:"530 "; depth:4;
>> metadata:policy security-ips alert;
>> reference:url,www.ietf.org/rfc/rfc0959.txt; sid:13360; rev:3; priority:10;)
>>
>> As you can see, at the end of a line I assign a priority of 10 to that rule;
>> when I trigger
>
> You changed the priority, for it to be set correctly you would need to delete
> the rule you have inserted in the database and re-run barnyard2.
>
> The rule would then be at the good priority (if you have changed it
> betwen the first insertion
> and a later insertion).
>
> Hope this helps,
>
> -elz




More information about the Snort-users mailing list