NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2010-08

Re: [Snort-users] Problems with so_rules+base+barnyard2.

From: Nigel Houghton (nhoughtonsourcefire.com)
Date: Fri Aug 06 2010 - 20:04:15 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 6 Aug 2010 21:48:35 -0300, David Guimaraes wrote:
> Hello.. I follow this post
>
(http://eatingsecurity.blogspot.com/2008/10/snort-shared-object-rules-with-sguil.html)
> to make so_rules stub. These stubs were generated fine, but the
> problem is that barnyard do not translate these stubs rules correctly.
>
> I followed the right step to append the generated rules to
> /etc/snort/gen-msg.map (using oinkmaster create-sid tool), and i
> configured barnyard.conf according.
>
> barnyard config:
> config reference_file: /etc/snort/reference.config
> config classification_file: /etc/snort/classification.config
> config gen_file: /etc/snort/gen-msg.map
> config sid_file: /etc/snort/sid-msg.map
>
> gen-msg.map:
> 1 || 1 || snort general alert
> 2 || 1 || tag: Tagged Packet
> 3 || 10126 || WEB-CLIENT QuickTime JPEG Huffman Table integer
> underflow attempt
> 3 || 10127 || DOS Microsoft IP Options denial of service
> ..
>
> But when some so_rules fire, I looked at BASE, and I saw this:
> [snort] Snort Alert [1:14644:0]
>
> I think barnyard is not catching(translating) these alerts correctly,
> right? What should I do?
>
> Thanks.

The file you need to append the information to is the sid-msg.map not
the gen-msg.map.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]