Snort mailing list archives
sid-msg.map
From: Johnny Venter <johnny.venter () zoho com>
Date: Thu, 14 Mar 2013 14:31:43 -0400
I'm using Snorby as my front-end not sure if this question directly related to Snort or Snorby.
Most of my alerts display the "msg" field, some do not
For example I see the following alert in Snorby: Snort Alert [1:24889:1]
Looking thru the rules and map files, I found this:
exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole Exploit Kit
landing page retrieval"; flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri;
pcre:"/\/[a-f0-9]{16}\/q\.php/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992;
reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110;
reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723;
reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;)
sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval || cve,2012-4681 || cve,2012-1889
|| cve,2012-1723 || cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || cve,2011-0559 || cve,2010-1885
|| cve,2009-0927 || cve,2008-2992 || cve,2008-0655 || cve,2007-5659 || cve,2006-0003
Are the entries in "exploit-kit.rules" and "sid-msg.map" correct?
I *did* find info running the following MySQL queries:
select * from data where cid=25568;
select * from event where cid=25568;
select * from tcphdr where cid=25568;
…but did not find any msg info. Any ideas??
Thanks.
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid-msg.map Johnny Venter (Mar 14)
- Re: sid-msg.map Jeremy Hoel (Mar 14)
- Re: sid-msg.map johnny.venter (Mar 19)
- Re: sid-msg.map Y M (Mar 19)
- Re: sid-msg.map johnny.venter (Mar 19)
- Re: sid-msg.map beenph (Mar 14)
- Re: sid-msg.map Joel Esler (Mar 19)
- Re: sid-msg.map Jeremy Hoel (Mar 14)