[Snort-users] Snort Barnyard2 and Snorby alert classification

Federico Carbonell federico_carbonell at ...16047...
Wed Jan 16 08:06:28 EST 2013

Hi everyone, I have this issue, maybe someone can help.

I'm running Snort 2.9.4 along with Barnyard2 2.1.9 and Snorby 2.5.4 as a
frontend. My problems is
that I cannot match any snort rule classification with Snorby severity.

For example, I have this rule in Snort:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP
login attempt"; flow:established,to_client; content:"530 "; depth:4;
metadata:policy security-ips alert;
reference:url,www.ietf.org/rfc/rfc0959.txt; sid:13360; rev:3;

As you can see, at the end of a line I assign a priority of 10 to that
rule; when I trigger
the rule, by entering a wrong password to an ftp server, the alert log
shows this:

01/15-16:51:10.580376  [**] [1:13360:3] POLICY failed FTP login attempt
[**] [Priority: 10] {TCP} ->

We can see that the priority 10 was there. But I have Snort configured
also to write the alerts
to unified2; then Barnyard pools the data there and writes them to a
database. Later on, Snorby (the frontend), shows the data that is stored
on that table, in a fancy style...

When I check the same alert on Snorby, the severity of that alert is set
to 3, wich means is a low
priority alert. Of course I want to change that, but any modification
that I made on Snort priority
doesn't show up on Snorby.

As Snorby only shows the data written on the database, I checked what
was written for that alert:

mysql> select sid,cid,signature,timestamp,id,sig_priority,sig_name from
events_with_join order by timestamp desc limit 2;
| sid | cid     | signature | timestamp           | id   | sig_priority
| sig_name                                           |
|   1 | 2563231 |        32 | 2013-01-16 10:01:10 | 1558 |            3
| POLICY failed FTP login attempt                    |

So, it seems that Barnyard2, responsible for taking the data from the
unified archive and writing to the database is (?)
assigning a sig_priority of 3, which is not correct.

Perhaps someone has the same issue and can enlighten me...

Federico Carbonell

IT Infrastructure and Security Manager
Buenos Aires Container Terminal Services S.A.
Tel: 54-11-4510-9884
Fax: 54-11-4510-9891
Email: federico_carbonell at ...16047...

The message represents the personal views and opinion of the individual sender and 
under no circumstances represents those of Hutchison Port Holdings Limited ("HPH")
or its Group Companies. The shareholders, directors and management of HPH and any of 
its Group Companies accept no responsibility and accordingly shall have no liability 
to any party whatsoever with respect to the contents of this message.
This message (including any attachments) is intended only for the use of the 
addressee(s) named above. It may contain information that is PRIVILEGED and 
CONFIDENTIAL and should not be read, copied or otherwise used by any other person.
If you are not the intended recipient, you are hereby notified that any use, 
retention, disclosure, copying, printing, forwarding or dissemination of this 
communication is strictly prohibited. If you have received this communication in error, 
please erase all copies of the message and its attachments and notify us immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130116/320b7943/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: banner_lucaya.jpg
Type: image/jpeg
Size: 59487 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130116/320b7943/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 4960 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130116/320b7943/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FB.JPG
Type: image/jpeg
Size: 3310 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130116/320b7943/attachment.jpe>

More information about the Snort-users mailing list