[Snort-users] sid-msg.map

johnny.venter johnny.venter at ...15370...
Tue Mar 19 09:24:07 EDT 2013


Sorry, 
 
I had multiple alerts with the same issue and had the corresponding SID's in a list. The sid 25568 is the correct one. 

Do you know where this information is contained?  I've tried multiple MySQL queries, but cannot find the correct location.

Thank you.

---- On Thu, 14 Mar 2013 11:39:24 -0700 Jeremy Hoel wrote ---- 
 
>Your first alert is for SID 24889, yet your search through rules and 
>sid-map is for 25568.. ?? Why was that? 
> 
>When snorby shows the "Snort Alert.. blah blah". it's reading that 
>from the DB. That information gets put into the DB from Barnyard2. 
> 
>Barnyard2 reads the name of the rule from sid-msg.map (if it's 
>configured to read the right one). 
> 
>When you update your rules (hopefully using pulledpork) it should 
>generate a new sid-msg.map. Then you restart BY2 to read the new 
>file. 
> 
>If that's not the process you are doing, or you haven't restarted BY2 
>in a while.. then that's the problem. 
> 
>You can do a UPDATE mysql command to change the name of the rule in the DB. 
> 
> 
>On Thu, Mar 14, 2013 at 6:31 PM, Johnny Venter wrote: 
>> I'm using Snorby as my front-end not sure if this question directly related 
>> to Snort or Snorby. 
>> 
>> Most of my alerts display the "msg" field, some do not 
>> 
>> For example I see the following alert in Snorby: Snort Alert [1:24889:1] 
>> 
>> Looking thru the rules and map files, I found this: 
>> 
>> exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
>> (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; 
>> flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri; 
>> pcre:"//[a-f0-9]{16}/q.php/U"; metadata:policy balanced-ips drop, policy 
>> security-ips drop, service http; reference:cve,2006-0003; 
>> reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; 
>> reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; 
>> reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; 
>> reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; 
>> reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;) 
>> 
>> sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page 
>> retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 || 
>> cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || 
>> cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 || 
>> cve,2008-0655 || cve,2007-5659 || cve,2006-0003 
>> 
>> Are the entries in "exploit-kit.rules" and "sid-msg.map" correct? 
>> 
>> I *did* find info running the following MySQL queries: 
>> 
>> select * from data where cid=25568; 
>> select * from event where cid=25568; 
>> select * from tcphdr where cid=25568; 
>> 
>> …but did not find any msg info. Any ideas?? 
>> 
>> Thanks. 
>> 
>> 
>> 
>> ------------------------------------------------------------------------------ 
>> Everyone hates slow websites. So do we. 
>> Make your web apps faster with AppDynamics 
>> Download AppDynamics Lite for free today: 
>> http://p.sf.net/sfu/appdyn_d2d_mar 
>> _______________________________________________ 
>> Snort-users mailing list 
>> Snort-users at lists.sourceforge.net 
>> Go to this URL to change user options or unsubscribe: 
>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>> Snort-users list archive: 
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort 
>> news! 
>





More information about the Snort-users mailing list