[Snort-users] Event mismatch

Anshuman Anil Deshmukh anshuman at ...16510...
Tue Aug 5 09:27:38 EDT 2014


Can anybody reply on this?





Regards,

Anshuman



From: Anshuman Anil Deshmukh [mailto:anshuman at ...16510...]
Sent: Monday, August 4, 2014 10:59 PM
To: 'Joel Esler (jesler)'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Event mismatch



Sorry for the encrypted mail which was recently sent by mistake. My apologies.



What I was saying was - which configuration file does Snorby refer in which the sid-msg.map file is specified?





Regards,

Anshuman



From: Joel Esler (jesler) [mailto:jesler at ...589...]
Sent: Monday, August 4, 2014 8:42 PM
To: Anshuman Anil Deshmukh
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Event mismatch



Looks like Snorby is not reading from the correct sid-msg.map file.





   On Aug 4, 2014, at 9:34 AM, Anshuman Anil Deshmukh <anshuman at ...16510...<mailto:anshuman at ...16510...>> wrote:



   Anybody on this? Is there any fix for this?





   Regards,

   Anshuman



   From: Anshuman Anil Deshmukh [mailto:anshuman at ...16510...]
   Sent: Wednesday, July 30, 2014 5:23 PM
   To: snort-users mailinglist
   Subject: [Snort-users] Event mismatch



   Hi,



   I am observing that an event shown in the snort terminal window appears in the Snorby console with a different description. Kindly see below output in the terminal window and refer attachment for same event how it appears in Snorby. This event appears in Snorby as “ssh: Gobbles exploit”. SIG & GID is same for both.



   Has anybody encountered this issue?



   Snort terminal window



   [**] [128:1:1] (spp_ssh) Challenge-Response Overflow exploit [**]

   [Classification: Attempted Administrator Privilege Gain] [Priority: 1]

   07/29-11:38:33.588575 <IP address removed>:53198 -> <IP address removed>:22

   TCP TTL:64 TOS:0x8 ID:27261 IpLen:20 DgmLen:4180 DF

   ***A**** Seq: 0x6DCCC579  Ack: 0xFD13066A  Win: 0xEA80  TcpLen: 20

   [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640][Xref<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640%5d%5bXref> => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0639]



   I have recently upgraded from Snort version 2.9.5 to 2.9.6.1 (it was compiled from source). After upgrade I have replaced the older version of files classification.config, gen.msg.map, reference.config & unicode.map.  Am I missing something which is causing this issue?



   I use pulledpork version 0.7.0 to update my rules. I update text based rules & so_rules with pulledpork. I use barnyard 2.1.9 (Build 263) - XFF patch (version 2). I am using mysql  ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1.



   Let me know in case any other information regarding my setup is needed.



   Thanks.





   Regards,

   Anshuman




   "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>




   "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>

   <Appearing in Snorbyt_mismatch.jpg>------------------------------------------------------------------------------
   Infragistics Professional
   Build stunning WinForms apps today!
   Reboot your WinForms applications with our WinForms controls.
   Build a bridge from your legacy apps to the future.
   http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk_______________________________________________
   Snort-users mailing list
   Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
   Go to this URL to change user options or unsubscribe:
   https://lists.sourceforge.net/lists/listinfo/snort-users
   Snort-users list archive:
   http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

   Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!






   "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com>


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." 
www.cybage.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140805/8aa99a06/attachment.html>


More information about the Snort-users mailing list