[Snort-users] Appearance of new custom alerts in BASE delayed

Black Lion black.ambasa at gmail.com
Wed Jun 20 09:07:45 EDT 2018


Hello. I am running Snort 2.9.11.1 on Ubuntu Server 16.04. I am also
running Barnyard2 2.1.14, BASE 1.4.5 and PulledPork 0.7.4. Whenever I add a
custom rule in /etc/snort/rules/local.rules and do a test connection to
trigger the custom alert, this alert does not appear in BASE right away. It
appears after sometime has elapsed. Below is what I have done which results
in the delay:

   - Added the below custom rule to /etc/snort/rules/local.rules:

*alert tcp any any -> 192.168.1.97 3389 (msg:"RDP to server"; GID:1;
sid:1000008; rev:001; classtype:misc-activity;)*

   - Ran PulledPork in order to add the custom rule to
   /etc/snort/sid-msg.map (the new entry has been added in sid-msg.map)
   - Restarted the snort and barnyard2 services
   - Connected to the snort database and ran the below line to check if
   barnyard2 has added the custom rule to the database:

*SELECT * FROM snort.signature WHERE sig_name = 'RDP to server'';*

(it took ~15 min before the custom rule was added to the database).

   - To test if the custom rule works, I connected to the server using
   Remote Desktop.
   - The interesting thing is that one of the downloaded Snort rules: *"ET
   POLICY RDP connection confirm"* appears in BASE as an alert, but my my
   custom alert does not appear in BASE. After a long delay, my custom alert
   eventually appears.

What could be the reason that there is a delay with the added custom alert
appearing in BASE? Is there a way to troubleshoot this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180620/c6f918de/attachment.html>


More information about the Snort-users mailing list