Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort, Barnyard2 and Snorby alert classification mismatch

From: hanx hi <hanxhi () yahoo com ar>
Date: Wed, 16 Jan 2013 05:14:23 -0800 (PST)
Hi everyone, I have this issue, maybe someone can help.

I'm running Snort 2.9.4 along with Barnyard2 2.1.9 and Snorby 2.5.4 as a frontend. My problems is
that I cannot match any snort rule classification with Snorby severity.

For example, I have this rule in Snort:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP login attempt"; flow:established,to_client; 
content:"530 "; depth:4; metadata:policy security-ips alert; reference:url,www.ietf.org/rfc/rfc0959.txt; sid:13360; 
rev:3; priority:10;)

As you can see, at the end of a line I assign a priority of 10 to that rule; when I trigger
the rule, by entering a wrong password to an ftp server, the alert log shows this:

01/15-16:51:10.580376  [**] [1:13360:3] POLICY failed FTP login attempt [**] [Priority: 10] {TCP} 192.3.3.11:21 -> 
192.3.3.225:64730

We can see that the priority 10 was there. But I have Snort configured also to write the alerts
to unified2; then Barnyard pools the data there and writes them to a database. Later on, Snorby (the frontend), shows 
the data that is stored on that table, in a fancy style...

When I check the same alert on Snorby, the severity of that alert is set to 3, wich means is a low
priority alert. Of course I want to change that, but any modification that I made on Snort priority
doesn't show up on Snorby.

As Snorby only shows the data written on the database, I checked what was written for that alert:

mysql> select sid,cid,signature,timestamp,id,sig_priority,sig_name from events_with_join order by timestamp desc limit 
2;
+-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+
| sid | cid            | signature | timestamp                   | id   | sig_priority | sig_name                       
                    |
+-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+
|   1 | 2563231 |        32 | 2013-01-16 10:01:10 | 1558 |            3      | POLICY failed FTP login attempt          
          |

So, it seems that Barnyard2, responsible for taking the data from the unified archive and writing to the database is (?)
assigning a sig_priority of 3, which is not correct.

Perhaps someone has the same issue and can enlighten me...

Thanks!

------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: