Snort mailing list archives
Re: sid-msg.map
From: beenph <beenph () gmail com>
Date: Thu, 14 Mar 2013 14:49:06 -0400
cid is actually a event identifier bound to an event and a sensor (sid) So sensor 1 (sid 1) cid are not sensor 2 (sid 2) cid, etc.. SELECT * FROM signature WHERE sig_sid = 25568; SELECT * FROM cid FROM event WHERE signature = SELECT sig_id FROM signature WHERE sig_sid = 25568 AND sid = 1; SELECT * FROM data WHERE cid IN (SELECT cid FROM event WHERE signature = (SELECT sig_id FROM signature WHERE sig_sid = 25568) AND sid = 1); SELECT * FROM data WHERE cid IN (SELECT cid FROM event WHERE signature = (SELECT sig_id FROM signature WHERE sig_sid = 25568) AND sid = 1); Hope this helps -elz On Thu, Mar 14, 2013 at 2:31 PM, Johnny Venter <johnny.venter () zoho com> wrote:
I'm using Snorby as my front-end not sure if this question directly related to Snort or Snorby. Most of my alerts display the "msg" field, some do not For example I see the following alert in Snorby: Snort Alert [1:24889:1] Looking thru the rules and map files, I found this: exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval"; flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/q\.php/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;) sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 || cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 || cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 || cve,2008-0655 || cve,2007-5659 || cve,2006-0003 Are the entries in "exploit-kit.rules" and "sid-msg.map" correct? I *did* find info running the following MySQL queries: select * from data where cid=25568; select * from event where cid=25568; select * from tcphdr where cid=25568; …but did not find any msg info. Any ideas?? Thanks. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid-msg.map Johnny Venter (Mar 14)
- Re: sid-msg.map Jeremy Hoel (Mar 14)
- Re: sid-msg.map johnny.venter (Mar 19)
- Re: sid-msg.map Y M (Mar 19)
- Re: sid-msg.map johnny.venter (Mar 19)
- Re: sid-msg.map beenph (Mar 14)
- Re: sid-msg.map Joel Esler (Mar 19)
- Re: sid-msg.map Jeremy Hoel (Mar 14)