Home page logo
/

snort logo Snort mailing list archives

Snort 2.9.0.2 / barnyard2 / base 1.4.5 signature not displayed and is unclassified
From: JS <jspudz () yahoo com>
Date: Fri, 17 Dec 2010 07:43:32 -0800 (PST)

All,

I recently decided to update my IDS(RHEL 5) to use the latest versions of snort, 
barnyard, and base. Previously this was all working fine. I am able to compile 
snort 2.9.0.2, barnyard2, and base 1.4.5 just fine. Everything is working except 
for a few signatures showing up in Base.

They are logging fine to my db, its just that a few of the alerts are showing up 
as "unclassified" and the Signature is displaying as " Snort Alert [129:15:0] ". 
I also see the same events logged for signatures 120:3:0 and 129:16:0. Now I did 
use the snort rules 2.9.0.1 as 2.9.0.2 are not out yet so I'm not sure if that 
is causing a problem or not.. 


I also created a new db, from the create_mysql included in snort 2.9.0.2. I then 
copied over the sid-msg.map, gen-msg.map, classification.config, unicode.map, 
and reference.config to the /etc/snort directory that were included in 
snort.2.9.0.2 tar file. 


I looked in the gen-msg.map file and I only see it going up to "14" for the 129 
stream5 event. Could this be the problem? Snippit below:

--snippet from gen-msg.map--
129 || 13 || stream5: TCP 4-way handshake detected
129 || 14 || stream5: TCP Timestamp is missing
130 || 1 || dcerpc: Maximum memory usage reached
131 || 1 || dns: Obsolete DNS RData Type
 --end snippet--

Have  I missed a step somewhere ? I have never seen this happen in my other 
snort deployments utilizing this same setup.

Thanks,
Joe



      
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]