Re: sid-msg.map

[beenph <beenph () gmail com>]

cid is actually a event identifier bound to an event and a sensor (sid)

So sensor 1 (sid 1) cid are not sensor 2 (sid 2) cid, etc..


SELECT * FROM signature WHERE sig_sid = 25568;

SELECT * FROM cid FROM event WHERE signature =  SELECT sig_id FROM
signature WHERE sig_sid = 25568 AND sid = 1;

SELECT * FROM data WHERE cid IN (SELECT cid FROM event WHERE signature
= (SELECT sig_id FROM signature WHERE sig_sid = 25568) AND sid = 1);
SELECT * FROM data WHERE cid IN (SELECT cid FROM event WHERE signature
= (SELECT sig_id FROM signature WHERE sig_sid = 25568) AND sid = 1);

Hope this helps
-elz




On Thu, Mar 14, 2013 at 2:31 PM, Johnny Venter <johnny.venter () zoho com> wrote:
> I'm using Snorby as my front-end not sure if this question directly related
> to Snort or Snorby.
>
> Most of my alerts display the "msg" field, some do not
>
> For example I see the following alert in Snorby: Snort Alert [1:24889:1]
>
> Looking thru the rules and map files, I found this:
>
> exploit-kit.rules:170:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval";
> flow:to_server,established; content:"/q.php"; fast_pattern:only; http_uri;
> pcre:"/\/[a-f0-9]{16}\/q\.php/U"; metadata:policy balanced-ips drop, policy
> security-ips drop, service http; reference:cve,2006-0003;
> reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992;
> reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559;
> reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188;
> reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889;
> reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:1;)
>
> sid-msg.map:12802:25568 || EXPLOIT-KIT Blackhole Exploit Kit landing page
> retrieval || cve,2012-4681 || cve,2012-1889 || cve,2012-1723 ||
> cve,2012-0507 || cve,2012-0188 || cve,2011-3544 || cve,2011-2110 ||
> cve,2011-0559 || cve,2010-1885 || cve,2009-0927 || cve,2008-2992 ||
> cve,2008-0655 || cve,2007-5659 || cve,2006-0003
>
> Are the entries in "exploit-kit.rules" and "sid-msg.map" correct?
>
> I *did* find info running the following MySQL queries:
>
> select * from data where cid=25568;
> select * from event where cid=25568;
> select * from tcphdr  where cid=25568;
>
> …but did not find any msg info.  Any ideas??
>
> Thanks.
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!