[Snort-users] sid-msg.map

Johnny Venter johnny.venter at ...15370...
Thu Mar 14 14:31:43 EDT 2013


I'm using Snorby as my front-end not sure if this question directly related to Snort or Snorby.

Most of my alerts display the "msg" field, some do not

For example I see the following alert in Snorby: Snort Alert [1:24889:1] 

Looking thru the rules and map files, I found this:

exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/q\.php/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;)

sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 || cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 || cve,2008-0655 || cve,2007-5659 || cve,2006-0003

Are the entries in "exploit-kit.rules" and "sid-msg.map" correct?  

I *did* find info running the following MySQL queries:

select * from data where cid=25568;
select * from event where cid=25568;
select * from tcphdr  where cid=25568;

…but did not find any msg info.  Any ideas??

Thanks.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130314/b4d1e2b8/attachment.html>


More information about the Snort-users mailing list