Snort mailing list archives
Re: PulledPork / Modifysid.conf Issues
From: Y M <snort () outlook com>
Date: Thu, 19 Sep 2013 17:11:36 +0000
What I meant by "it is already in the database": is that if you have ran Snort/Barnyard2 before, and you got this alert showing up on Snorby (implies it is in the database already) before the modifications, then the case that I saw/experienced was that it will not update the rule since the SID/rule (message) is in the database already. What I meant by "clear it out": is that you may need to delete the rule (not the alert) from Snorby database; from the signature table (it contains the signature priority column): DELETE FROM signature WHERE sig_sid = 111; replace 111 with the signture/rule ID. This is my reasoning and is solely based on how I actually fixed the issue in my case. I haven't worked much with Snorby but as I recall database schema is similar to the basic one with additional tables for Snorby to operate. A very wild guess, but could it be that Snorby caching needs a refresh or so? Thanks.YM
From: bturnbough () belcan com To: snort-users () lists sourceforge net Date: Thu, 19 Sep 2013 16:49:48 +0000 Subject: Re: [Snort-users] PulledPork / Modifysid.conf Issues I'm not sure what you mean by 'it is already in the database' and to 'clear it out' Can you please clarify / provide a way to acheive that? ________________________________ From: Turnbough, Bradley E. Sent: Thursday, September 19, 2013 10:29 AM To: snort-users () lists sourceforge net Subject: PulledPork / Modifysid.conf Issues Gents, Snort ---2.9.3.1 Pulled Pork ---0.6.1 Barnyard2 ---2.1.9 Sonrby ---2.5.3 Rule BEFORE Pulled Pork modifysid processing: ------------------------------------------------------------ alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:15167; rev:11;) Rule after Pulled Pork modifysid processing: ------------------------------------------------------------ alert udp $HOME_NET any -> $HOME_NET 53 (msg:"INDICATOR-COMPROMISE Suspicious .cn dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; pcre:"/[\x05-\x20][bcdfghjklmnpqrstvwxyz]{5,32}[^\x00]*?\x02cn\x00/i"; metadata:policy security-ips drop, service dns; classtype:misc-activity; sid:15167; rev:11;) Modifysid.conf: ------------------------------------------------------------ 15167 "classtype:trojan-activity" "classtype:misc-activity"; 19020 "classtype:trojan-activity" "classtype:misc-activity"; 15168 "classtype:trojan-activity" "classtype:misc-activity"; Classification.conf: ------------------------------------------------------------ config classification: misc-activity,Misc activity,3 What I'm trying to achieve: ------------------------------------------------------------ I want to reclassify the rule from a HIGH priority (1) to a LOW priority (3). It appears that pulled pork is doing its job, as I see the classification change in the rules file, but the event isn't being inserted by barnyard2 into the snorby database with a LOW priority as per the rule classification. This is the very first time I've done this so I'm a bit confused as to why this is occurring. I've restarted both snort and also barnyard2, but no change in outcome. Ideas? Thanks, Brad _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PulledPork / Modifysid.conf Issues Turnbough, Bradley E. (Sep 19)
- Re: PulledPork / Modifysid.conf Issues JJC (Sep 19)
- Re: PulledPork / Modifysid.conf Issues Y M (Sep 19)
- Re: PulledPork / Modifysid.conf Issues Turnbough, Bradley E. (Sep 19)
- Re: PulledPork / Modifysid.conf Issues beenph (Sep 19)
- Re: PulledPork / Modifysid.conf Issues Y M (Sep 23)
- Re: PulledPork / Modifysid.conf Issues Turnbough, Bradley E. (Sep 19)