[Snort-users] Event mismatch

JJC cummingsj at ...11827...
Tue Aug 5 10:52:29 EDT 2014


Snorby needs to be using the sid-msg.map that pulledpork produces, you also
need to be sure that you have your pulledpork configured to generate a
version 1 (one) sid-msg.map as I do not think that Snorby is compatible
with the new version that was designed for use with Barnyard.

JJC


On Tue, Aug 5, 2014 at 7:27 AM, Anshuman Anil Deshmukh <anshuman at ...16567....>
wrote:

>  Can anybody reply on this?
>
>
>
>
>
> Regards,
>
> Anshuman
>
>
>
> *From:* Anshuman Anil Deshmukh [mailto:anshuman at ...16510...]
> *Sent:* Monday, August 4, 2014 10:59 PM
> *To:* 'Joel Esler (jesler)'; snort-users at lists.sourceforge.net
>
> *Subject:* Re: [Snort-users] Event mismatch
>
>
>
> Sorry for the encrypted mail which was recently sent by mistake. My
> apologies.
>
>
>
> What I was saying was - which configuration file does Snorby refer in
> which the sid-msg.map file is specified?
>
>
>
>
>
> Regards,
>
> Anshuman
>
>
>
> *From:* Joel Esler (jesler) [mailto:jesler at ...589... <jesler at ...589...>]
> *Sent:* Monday, August 4, 2014 8:42 PM
> *To:* Anshuman Anil Deshmukh
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Event mismatch
>
>
>
> Looks like Snorby is not reading from the correct sid-msg.map file.
>
>
>
>
>
>  On Aug 4, 2014, at 9:34 AM, Anshuman Anil Deshmukh <anshuman at ...16510...>
> wrote:
>
>
>
> Anybody on this? Is there any fix for this?
>
>
>
>
>
> Regards,
>
> Anshuman
>
>
>
> *From:* Anshuman Anil Deshmukh [mailto:anshuman at ...16510...
> <anshuman at ...16510...>]
> *Sent:* Wednesday, July 30, 2014 5:23 PM
> *To:* snort-users mailinglist
> *Subject:* [Snort-users] Event mismatch
>
>
>
> Hi,
>
>
>
> I am observing that an event shown in the snort terminal window appears in
> the Snorby console with a different description. Kindly see below output in
> the terminal window and *refer attachment* for same event how it appears
> in Snorby. This event appears in Snorby as “ssh: Gobbles exploit”. SIG &
> GID is same for both.
>
>
>
> Has anybody encountered this issue?
>
>
>
> *Snort terminal window*
>
>
>
> [**] [128:1:1] (spp_ssh) Challenge-Response Overflow exploit [**]
>
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
>
> 07/29-11:38:33.588575 <IP address removed>:53198 -> <IP address
> removed>:22
>
> TCP TTL:64 TOS:0x8 ID:27261 IpLen:20 DgmLen:4180 DF
>
> ***A**** Seq: 0x6DCCC579  Ack: 0xFD13066A  Win: 0xEA80  TcpLen: 20
>
> [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640][Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0639]
>
>
>
> I have recently upgraded from Snort version 2.9.5 to 2.9.6.1 (it was
> compiled from source). After upgrade I have replaced the older version of
> files classification.config, gen.msg.map, reference.config & unicode.map.
> Am I missing something which is causing this issue?
>
>
>
> I use pulledpork version 0.7.0 to update my rules. I update text based
> rules & so_rules with pulledpork. I use barnyard 2.1.9 (Build 263) - XFF
> patch (version 2). I am using mysql  ver 14.14 Distrib 5.1.73, for
> redhat-linux-gnu (x86_64) using readline 5.1.
>
>
>
> Let me know in case any other information regarding my setup is needed.
>
>
>
> Thanks.
>
>
>
>
>
> Regards,
>
> Anshuman
>
>
>  "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
>
>  "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
> <Appearing in Snorbyt_mismatch.jpg>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>  "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140805/7e0ffacc/attachment.html>


More information about the Snort-users mailing list