Snort mailing list archives
Snort, Barnyard2 and Snorby alert classification mismatch
From: hanx hi <hanxhi () yahoo com ar>
Date: Wed, 16 Jan 2013 05:14:23 -0800 (PST)
Hi everyone, I have this issue, maybe someone can help. I'm running Snort 2.9.4 along with Barnyard2 2.1.9 and Snorby 2.5.4 as a frontend. My problems is that I cannot match any snort rule classification with Snorby severity. For example, I have this rule in Snort: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP login attempt"; flow:established,to_client; content:"530 "; depth:4; metadata:policy security-ips alert; reference:url,www.ietf.org/rfc/rfc0959.txt; sid:13360; rev:3; priority:10;) As you can see, at the end of a line I assign a priority of 10 to that rule; when I trigger the rule, by entering a wrong password to an ftp server, the alert log shows this: 01/15-16:51:10.580376 [**] [1:13360:3] POLICY failed FTP login attempt [**] [Priority: 10] {TCP} 192.3.3.11:21 -> 192.3.3.225:64730 We can see that the priority 10 was there. But I have Snort configured also to write the alerts to unified2; then Barnyard pools the data there and writes them to a database. Later on, Snorby (the frontend), shows the data that is stored on that table, in a fancy style... When I check the same alert on Snorby, the severity of that alert is set to 3, wich means is a low priority alert. Of course I want to change that, but any modification that I made on Snort priority doesn't show up on Snorby. As Snorby only shows the data written on the database, I checked what was written for that alert: mysql> select sid,cid,signature,timestamp,id,sig_priority,sig_name from events_with_join order by timestamp desc limit 2; +-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+ | sid | cid | signature | timestamp | id | sig_priority | sig_name | +-----+---------+-----------+---------------------+------+--------------+----------------------------------------------------+ | 1 | 2563231 | 32 | 2013-01-16 10:01:10 | 1558 | 3 | POLICY failed FTP login attempt | So, it seems that Barnyard2, responsible for taking the data from the unified archive and writing to the database is (?) assigning a sig_priority of 3, which is not correct. Perhaps someone has the same issue and can enlighten me... Thanks!
------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort, Barnyard2 and Snorby alert classification mismatch hanx hi (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch beenph (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch beenph (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch hanx hi (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch beenph (Jan 16)
- Re: Snort, Barnyard2 and Snorby alert classification mismatch beenph (Jan 16)