[Snort-users] sid-msg.map

Y M snort at ...15979...
Tue Mar 19 10:42:55 EDT 2013


The reason that you would see something like Snort Alert [1:24889:1] instead of the proper signature name is that when the alert was triggered, it did not have its own entry in the sid-msg.map to be stored into the "signature" table in "snort" database. The ultimate solution to that is to use PulledPork to generate your sid-msg.map file as Joel suggested. To update existing entries that don't have the proper signature name for I would suggest: running the following SQL statement against Snort database; by replacing the xxx with the signature sid you are looking for: SELECT * FROM signature WHERE sig_sid=xxx; This will return the record you are looking for. Then you can update the "sig_name" column with the appropriate signature name, either inline or by issuing an UPDATE statement.  YM> Date: Tue, 19 Mar 2013 06:24:07 -0700
> From: johnny.venter at ...15370...
> To: jthoel at ...11827...
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] sid-msg.map
> 
> Sorry, 
>  
> I had multiple alerts with the same issue and had the corresponding SID's in a list. The sid 25568 is the correct one. 
> 
> Do you know where this information is contained?  I've tried multiple MySQL queries, but cannot find the correct location.
> 
> Thank you.
> 
> ---- On Thu, 14 Mar 2013 11:39:24 -0700 Jeremy Hoel wrote ---- 
>  
> >Your first alert is for SID 24889, yet your search through rules and 
> >sid-map is for 25568.. ?? Why was that? 
> > 
> >When snorby shows the "Snort Alert.. blah blah". it's reading that 
> >from the DB. That information gets put into the DB from Barnyard2. 
> > 
> >Barnyard2 reads the name of the rule from sid-msg.map (if it's 
> >configured to read the right one). 
> > 
> >When you update your rules (hopefully using pulledpork) it should 
> >generate a new sid-msg.map. Then you restart BY2 to read the new 
> >file. 
> > 
> >If that's not the process you are doing, or you haven't restarted BY2 
> >in a while.. then that's the problem. 
> > 
> >You can do a UPDATE mysql command to change the name of the rule in the DB. 
> > 
> > 
> >On Thu, Mar 14, 2013 at 6:31 PM, Johnny Venter wrote: 
> >> I'm using Snorby as my front-end not sure if this question directly related 
> >> to Snort or Snorby. 
> >> 
> >> Most of my alerts display the "msg" field, some do not 
> >> 
> >> For example I see the following alert in Snorby: Snort Alert [1:24889:1] 
> >> 
> >> Looking thru the rules and map files, I found this: 
> >> 
> >> exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> >> (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; 
> >> flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri; 
> >> pcre:"//[a-f0-9]{16}/q.php/U"; metadata:policy balanced-ips drop, policy 
> >> security-ips drop, service http; reference:cve,2006-0003; 
> >> reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; 
> >> reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; 
> >> reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; 
> >> reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; 
> >> reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;) 
> >> 
> >> sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page 
> >> retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 || 
> >> cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || 
> >> cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 || 
> >> cve,2008-0655 || cve,2007-5659 || cve,2006-0003 
> >> 
> >> Are the entries in "exploit-kit.rules" and "sid-msg.map" correct? 
> >> 
> >> I *did* find info running the following MySQL queries: 
> >> 
> >> select * from data where cid=25568; 
> >> select * from event where cid=25568; 
> >> select * from tcphdr where cid=25568; 
> >> 
> >> …but did not find any msg info. Any ideas?? 
> >> 
> >> Thanks. 
> >> 
> >> 
> >> 
> >> ------------------------------------------------------------------------------ 
> >> Everyone hates slow websites. So do we. 
> >> Make your web apps faster with AppDynamics 
> >> Download AppDynamics Lite for free today: 
> >> http://p.sf.net/sfu/appdyn_d2d_mar 
> >> _______________________________________________ 
> >> Snort-users mailing list 
> >> Snort-users at lists.sourceforge.net 
> >> Go to this URL to change user options or unsubscribe: 
> >> https://lists.sourceforge.net/lists/listinfo/snort-users 
> >> Snort-users list archive: 
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> >> 
> >> Please visit http://blog.snort.org to stay current on all the latest Snort 
> >> news! 
> >
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130319/745d260f/attachment.html>


More information about the Snort-users mailing list