[Snort-users] PulledPork / Modifysid.conf Issues

Y M snort at ...15979...
Thu Sep 19 12:48:33 EDT 2013


It looks like the original alert; the unmodified one, is in the database already. Clear it out and BY2 should re-insert it.
FYI, I am not a BY2 folk but I use it.
Thanks.YM

> From: bturnbough at ...15650...
> To: snort-users at lists.sourceforge.net
> Date: Thu, 19 Sep 2013 15:29:55 +0000
> Subject: [Snort-users] PulledPork / Modifysid.conf Issues
> 
> Gents,
> 
> Snort ---2.9.3.1
> Pulled Pork ---0.6.1
> Barnyard2 ---2.1.9
> Sonrby ---2.5.3
> 
> Rule BEFORE Pulled Pork modifysid processing:
> ------------------------------------------------------------
> alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:15167; rev:11;)
> 
> Rule after Pulled Pork modifysid processing:
> ------------------------------------------------------------
> alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:policy security-ips drop, service dns; classtype:misc-activity; sid:15167; rev:11;)
> 
> Modifysid.conf:
> ------------------------------------------------------------
> 15167 "classtype:trojan-activity" "classtype:misc-activity";
> 19020 "classtype:trojan-activity" "classtype:misc-activity";
> 15168 "classtype:trojan-activity" "classtype:misc-activity";
> 
> Classification.conf:
> ------------------------------------------------------------
> config classification: misc-activity,Misc activity,3
> 
> 
> What I'm trying to achieve:
> ------------------------------------------------------------
> I want to reclassify the rule from a HIGH priority (1) to a LOW priority (3).  It appears that pulled pork is doing its job, as I see the classification change in the rules file, but the event isn't being inserted by barnyard2 into the snorby database with a LOW priority as per the rule classification.  This is the very first time I've done this so I'm a bit confused as to why this is occurring.
> 
> I've restarted both snort and also barnyard2, but no change in outcome.
> 
> 
> Ideas?
> 
> Thanks,
> 
> Brad
> _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
> 
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130919/7ed233d1/attachment.html>


More information about the Snort-users mailing list