Snort mailing list archives
Barnyard: classification off by one?
From: "Michael Scheidell" <scheidell () secnap net>
Date: Sat, 5 Oct 2002 18:26:44 -0400
this is where change logs, and server configuration logs should be required (by me!) Three systems, identical (well, obviously not!) Two systems show classification next that is NOT the same as was requested md5 checksums on barnyard and classification.config are exact. md5 checksums on snort are exact. even cerebus shows it off by one when it reads the barnyard file. what and where and how does snort send that info to barnyard? does it send it an 'index' number? after reading the sid-map file? I guess there could be problem if that 'index' number changed, ie a new sid-msg file, right? in fast.alert plugin for barnyard, Version 0.1.0-rc2 (Build 11) using released snort 1.9.0 old barnyard/snort ok: (do i keep a 'change log'?) ;-) I kept pretty much up with beta's and rcs (except for snort 1.9) (these put in to show it DID work at one time...) these are ok: ------------------------------------------------------------------------ 08/11/02-18:23:39.755831 {TCP} 64.242.39.222:4222 -> 10.1.1.10:80 [**] [1:1243:6] WEB-IIS ISAPI .ida attempt [**] [Classification: Web Application Attack] [Priority: 1] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071] [Xref => http://www.securityfocus.com/bid/1065] [Xref => http://www.whitehats.com/info/IDS552] started when I downloaded and installed (something?) ------------------------------------------------------------------------ 08/11/02-22:17:03.263577 {TCP} 216.150.161.14:1588 -> 10.1.1.10:80 [**] [1:1256:6] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Misc activity] [Priority: 1] [Xref => http://www.cert.org/advisories/CA-2001-19.html] (should be web-application-attack) and in classification.config file, the reported classification is one below the real one. config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 these are ALL off by one: in fact, since 8/11, every one was off by one. (note: using DEFAULT classification.config and rules!, with the exception of the off colour porn rulz one.) 09/26/02-12:46:49.526011 {TCP} 207.68.171.247:80 -> 10.1.1.112:1083 [**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**] [Classification: A suspicious string was detected] [Priority: 1] 10/04/02-22:28:28.070771 {TCP} 207.18.92.26:1392 -> 208.237.120.134:80 [**] [1:1002:5] WEB-IIS cmd.exe access [**] [Classification: Misc activity] [Priority: 1] ------------------------------------------------------------------------ 10/05/02-16:07:05.052871 {TCP} 207.46.249.61:80 -> 208.237.120.135:2280 [**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**] [Classification: A suspicious string was detected] [Priority: 1] ------------------------------------------------------------------------ 10/05/02-19:51:14.170117 {TCP} 207.68.132.10:80 -> 208.237.120.131:3667 [**] [1:649:5] SHELLCODE x86 setgid 0 [**] [Classification: A TCP connection was detected] [Priority: 2] [Xref => http://www.whitehats.com/info/IDS284] Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard: classification off by one? Michael Scheidell (Oct 05)
- Re: Barnyard: classification off by one? Dragos Ruiu (Oct 05)
- Re: [Barnyard-users] Barnyard: classification off by one? Andrew R. Baker (Oct 06)