[Snort-users] Snort Barnyard2 and Snorby alert classification

beenph beenph at ...11827...
Sat Jan 19 08:34:09 EST 2013


Didin't you send the exact same e-mail with a diffrent e-mail address to
the list 3 day ago?



On Wed, Jan 16, 2013 at 8:06 AM, Federico Carbonell <
federico_carbonell at ...16047...> wrote:

> **
> Hi everyone, I have this issue, maybe someone can help.
>
> I'm running Snort 2.9.4 along with Barnyard2 2.1.9 and Snorby 2.5.4 as a
> frontend. My problems is
> that I cannot match any snort rule classification with Snorby severity.
>
> For example, I have this rule in Snort:
>
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP login
> attempt"; flow:established,to_client; content:"530 "; depth:4;
> metadata:policy security-ips alert; reference:url,
> www.ietf.org/rfc/rfc0959.txt; sid:13360; rev:3; priority:10;)
>
> As you can see, at the end of a line I assign a priority of 10 to that
> rule; when I trigger
> the rule, by entering a wrong password to an ftp server, the alert log
> shows this:
>
> 01/15-16:51:10.580376  [**] [1:13360:3] POLICY failed FTP login attempt
> [**] [Priority: 10] {TCP} 192.3.3.11:21 -> 192.3.3.225:64730
>
> We can see that the priority 10 was there. But I have Snort configured
> also to write the alerts
> to unified2; then Barnyard pools the data there and writes them to a
> database. Later on, Snorby (the frontend), shows the data that is stored on
> that table, in a fancy style...
>
> When I check the same alert on Snorby, the severity of that alert is set
> to 3, wich means is a low
> priority alert. Of course I want to change that, but any modification that
> I made on Snort priority
> doesn't show up on Snorby.
>
> As Snorby only shows the data written on the database, I checked what was
> written for that alert:
>
> mysql> select sid,cid,signature,timestamp,id,sig_priority,sig_name from
> events_with_join order by timestamp desc limit 2;
>
> +-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+
> | sid | cid     | signature | timestamp           | id   | sig_priority |
> sig_name                                           |
>
> +-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+
> |   1 | 2563231 |        32 | 2013-01-16 10:01:10 | 1558 |            3 |
> POLICY failed FTP login attempt                    |
>
> So, it seems that Barnyard2, responsible for taking the data from the
> unified archive and writing to the database is (?)
> assigning a sig_priority of 3, which is not correct.
>
> Perhaps someone has the same issue and can enlighten me...
>
> Thanks!
>   --
>
> Federico Carbonell
> *IT Infrastructure and Security Manager**Buenos Aires Container Terminal Services S.A.*
> Tel: 54-11-4510-9884
> Fax: 54-11-4510-9891
> Email: federico_carbonell at ...16047...
>
>  <http://www.facebook.com/grandlucayan> <http://twitter.com/@GrandLucayan>
>
>  <http://www.grandlucayan.com/>
>
> ------------------------------------------------------------------------------------
> The message represents the personal views and opinion of the individual sender and
> under no circumstances represents those of Hutchison Port Holdings Limited ("HPH")
> or its Group Companies. The shareholders, directors and management of HPH and any of
> its Group Companies accept no responsibility and accordingly shall have no liability
> to any party whatsoever with respect to the contents of this message.
>
> This message (including any attachments) is intended only for the use of the
> addressee(s) named above. It may contain information that is PRIVILEGED and
> CONFIDENTIAL and should not be read, copied or otherwise used by any other person.
>
> If you are not the intended recipient, you are hereby notified that any use,
> retention, disclosure, copying, printing, forwarding or dissemination of this
> communication is strictly prohibited. If you have received this communication in error,
> please erase all copies of the message and its attachments and notify us immediately.
> -------------------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122912
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130119/ecc83a59/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: banner_lucaya.jpg
Type: image/jpeg
Size: 59487 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130119/ecc83a59/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FB.JPG
Type: image/jpeg
Size: 3310 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130119/ecc83a59/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 4960 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130119/ecc83a59/attachment-0001.jpg>


More information about the Snort-users mailing list