Home page logo

snort logo Snort mailing list archives

Snort / barnyard2 / base 1.4.5 signature not displayed and is unclassified
From: JS <jspudz () yahoo com>
Date: Fri, 17 Dec 2010 07:43:32 -0800 (PST)


I recently decided to update my IDS(RHEL 5) to use the latest versions of snort, 
barnyard, and base. Previously this was all working fine. I am able to compile 
snort, barnyard2, and base 1.4.5 just fine. Everything is working except 
for a few signatures showing up in Base.

They are logging fine to my db, its just that a few of the alerts are showing up 
as "unclassified" and the Signature is displaying as " Snort Alert [129:15:0] ". 
I also see the same events logged for signatures 120:3:0 and 129:16:0. Now I did 
use the snort rules as are not out yet so I'm not sure if that 
is causing a problem or not.. 

I also created a new db, from the create_mysql included in snort I then 
copied over the sid-msg.map, gen-msg.map, classification.config, unicode.map, 
and reference.config to the /etc/snort directory that were included in 
snort. tar file. 

I looked in the gen-msg.map file and I only see it going up to "14" for the 129 
stream5 event. Could this be the problem? Snippit below:

--snippet from gen-msg.map--
129 || 13 || stream5: TCP 4-way handshake detected
129 || 14 || stream5: TCP Timestamp is missing
130 || 1 || dcerpc: Maximum memory usage reached
131 || 1 || dns: Obsolete DNS RData Type
 --end snippet--

Have  I missed a step somewhere ? I have never seen this happen in my other 
snort deployments utilizing this same setup.


Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]