|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: JJC (cummingsj
gmail.com)
Date: Fri Aug 27 2010 - 09:32:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
You need to update your sid-msg map so that it has all of the meta
information for those SIDs. You then need to (re)start barnyard2 so that it
inserts the correct information from that point forward. Of course that
doesn't fix the existing data in the database. To fix that you will need to
either built a tool that will go back and update the entries with the meta
information or you will want to delete the data and restart barnyard2
telling it to read and insert the old unified data.
JJC
On Fri, Aug 27, 2010 at 7:54 AM, Lawrence R. Hughes, Sr. <
lhughessafemedia.com> wrote:
> Hi,
>
> Found a problem where the following was returned from the snort.signature
> table for the following query:
>
> SELECT sig_id,sig_name FROM snort.signature WHERE sig_name like 'snort%';
>
> '969', 'Snort Alert [138:2:0]'
> '443', 'Snort Alert [138:4:0]'
> '1181', 'Snort Alert [1:13974:0]'
> '1163', 'Snort Alert [1:14782:0]'
> '1251', 'Snort Alert [1:15114:0]'
> '1160', 'Snort Alert [1:16180:0]'
> '402', 'Snort Alert [1:2402000:0]'
> '420', 'Snort Alert [1:2402001:0]'
> '499', 'Snort Alert [1:2402000:0]'
> '549', 'Snort Alert [1:2402001:0]'
> '504', 'Snort Alert [1:2406085:0]'
> '531', 'Snort Alert [1:2406097:0]'
> '558', 'Snort Alert [1:2406011:0]'
> '628', 'Snort Alert [1:2406063:0]'
> '676', 'Snort Alert [1:2406010:0]'
> '498', 'Snort Alert [1:2406181:0]'
> '505', 'Snort Alert [1:2406189:0]'
> '601', 'Snort Alert [1:2406146:0]'
> '622', 'Snort Alert [1:2406144:0]'
> '625', 'Snort Alert [1:2406183:0]'
> '433', 'Snort Alert [1:2406242:0]'
> '529', 'Snort Alert [1:2406237:0]'
> '544', 'Snort Alert [1:2406281:0]'
> '576', 'Snort Alert [1:2406207:0]'
> '617', 'Snort Alert [1:2406260:0]'
> '666', 'Snort Alert [1:2406245:0]'
> '555', 'Snort Alert [1:2406361:0]'
> '564', 'Snort Alert [1:2406391:0]'
> '501', 'Snort Alert [1:2406493:0]'
> '568', 'Snort Alert [1:2406463:0]'
> '623', 'Snort Alert [1:2406418:0]'
> '624', 'Snort Alert [1:2406492:0]'
> '641', 'Snort Alert [1:2406489:0]'
> '503', 'Snort Alert [1:2406569:0]'
> '554', 'Snort Alert [1:2406595:0]'
> '570', 'Snort Alert [1:2406503:0]'
> '619', 'Snort Alert [1:2406542:0]'
> '643', 'Snort Alert [1:2406584:0]'
> '649', 'Snort Alert [1:2406594:0]'
> '661', 'Snort Alert [1:2406564:0]'
> '414', 'Snort Alert [1:2406649:0]'
> '415', 'Snort Alert [1:2406648:0]'
> '479', 'Snort Alert [1:2406614:0]'
> '516', 'Snort Alert [1:2406621:0]'
> '543', 'Snort Alert [1:2406608:0]'
> '574', 'Snort Alert [1:2406623:0]'
> '629', 'Snort Alert [1:2406641:0]'
> '630', 'Snort Alert [1:2406640:0]'
> '644', 'Snort Alert [1:2406612:0]'
> '668', 'Snort Alert [1:2406606:0]'
> '432', 'Snort Alert [1:2500036:0]'
> '435', 'Snort Alert [1:2500004:0]'
> '472', 'Snort Alert [1:2500024:0]'
> '473', 'Snort Alert [1:2500016:0]'
> '474', 'Snort Alert [1:2500030:0]'
> '494', 'Snort Alert [1:2500020:0]'
> '495', 'Snort Alert [1:2500098:0]'
> '552', 'Snort Alert [1:2500088:0]'
> '553', 'Snort Alert [1:2500099:0]'
> '559', 'Snort Alert [1:2500071:0]'
> '565', 'Snort Alert [1:2500077:0]'
> '566', 'Snort Alert [1:2500002:0]'
> '567', 'Snort Alert [1:2500063:0]'
> '581', 'Snort Alert [1:2500024:0]'
> '590', 'Snort Alert [1:2500008:0]'
> '616', 'Snort Alert [1:2500004:0]'
> '618', 'Snort Alert [1:2500022:0]'
> '652', 'Snort Alert [1:2500020:0]'
> '662', 'Snort Alert [1:2500016:0]'
> '667', 'Snort Alert [1:2500042:0]'
> '677', 'Snort Alert [1:2500030:0]'
> '416', 'Snort Alert [1:2500174:0]'
> '417', 'Snort Alert [1:2500135:0]'
> '477', 'Snort Alert [1:2500142:0]'
> '481', 'Snort Alert [1:2500124:0]'
> '483', 'Snort Alert [1:2500118:0]'
> '492', 'Snort Alert [1:2500100:0]'
> '493', 'Snort Alert [1:2500126:0]'
> '533', 'Snort Alert [1:2500150:0]'
> '550', 'Snort Alert [1:2500148:0]'
> '556', 'Snort Alert [1:2500168:0]'
> '571', 'Snort Alert [1:2500126:0]'
> '572', 'Snort Alert [1:2500182:0]'
> '573', 'Snort Alert [1:2500139:0]'
> '575', 'Snort Alert [1:2500154:0]'
> '586', 'Snort Alert [1:2500170:0]'
> '591', 'Snort Alert [1:2500162:0]'
> '592', 'Snort Alert [1:2500114:0]'
> '595', 'Snort Alert [1:2500106:0]'
> '596', 'Snort Alert [1:2500122:0]'
> '597', 'Snort Alert [1:2500176:0]'
> '609', 'Snort Alert [1:2500108:0]'
> '613', 'Snort Alert [1:2500104:0]'
> '614', 'Snort Alert [1:2500130:0]'
> '627', 'Snort Alert [1:2500166:0]'
> '632', 'Snort Alert [1:2500128:0]'
> '633', 'Snort Alert [1:2500102:0]'
> '634', 'Snort Alert [1:2500102:0]'
> '635', 'Snort Alert [1:2500120:0]'
> '639', 'Snort Alert [1:2500164:0]'
> '646', 'Snort Alert [1:2500110:0]'
> '475', 'Snort Alert [1:2500245:0]'
> '478', 'Snort Alert [1:2500266:0]'
> '496', 'Snort Alert [1:2500218:0]'
> '557', 'Snort Alert [1:2500211:0]'
> '594', 'Snort Alert [1:2500272:0]'
> '637', 'Snort Alert [1:2500232:0]'
> '638', 'Snort Alert [1:2500232:0]'
> '664', 'Snort Alert [1:2500208:0]'
> '665', 'Snort Alert [1:2500210:0]'
> '534', 'Snort Alert [1:2520138:0]'
> '377', 'Snort Alert [1:66666:0]'
>
> Barnyard2 is suppose to insert signature names like "NETBIOS DCERPC
> NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt" into sig_name
> of the snort.signature table correct?
>
> So what happened?
>
> Better yet, how do we clean this mess up?
>
> We think Barnyard2 is not at fault, and the snort sid-msg.map and rules
> are the problem.
>
> Are we thinking in the correct direction?
>
> Thanks,
> Larry
>
>
>
> ------------------------------------------------------------------------------
> Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
> Be part of this innovative community and reach millions of netbook users
> worldwide. Take advantage of special opportunities to increase revenue and
> speed time-to-market. Join now, and jumpstart your future.
> http://p.sf.net/sfu/intel-atom-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]