Re: Barnyard not using gen-msg.map

[Jon P <jon () streamlinedev net>]

Thank you so much for the reply! 

I was able to get *most* of the metadata I was looking for my dropping the snort mysql tables. Read somewhere last 
night that sometimes is a hailmary approach. But as I have my unified alerts still that wasn't too much to reprocess 
the last 30 days. 

Will try giving the docs a deeper read. Thanks!

-jp

-----Original Message-----
From: Y M [mailto:snort () outlook com] 
Sent: Wednesday, May 04, 2016 11:46 AM
To: Jon P <jon () streamlinedev net>
Cc: snort-users () lists sourceforge net
Subject: Re: Barnyard not using gen-msg.map

In a nutshell, since ET rules do not contain policy metadata, the sid-msg.map does not get updated with the new 
signatures, hence, Barnyard2 is not able to get the signatures' messages.

To elaborate more in a generic form, PulledPork uses the specified rules policy (using -I) to determine which rules to 
enable depending on the chosen policy, i.e.: security, balanced, connectivity. This is done through a signature's 
policy that is defined in the metadata keyword. This also allows PulledPork to parse the messages from the matching 
policy and update the sid-msg.map. When Barnyard2 reads the unidied2 output, it will get the signature message from the 
updated sid-msg.map. When it does not find the signature in question, it will replace it the message you have been 
seeing.

One workaround on top of my head is to modify the singatures - using modifysid.conf - to include the policy/metadata 
needed. I want to say I have tried this at some point though I can't remember as you may get into a chicken-egg 
situation. Give PulledPork documentation a read and see the order in which the rules are processed.

YM

________________________________________
From: Jon P <jon () streamlinedev net>
Sent: Wednesday, May 4, 2016 1:05 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Barnyard not using gen-msg.map

m using the ET Community rule set. Pulled pork updates this daily. That seems to be working fine.

I did something that is causing my alerts to now be loaded as Snort Alert [1:2101411:12] in BASE.

I *think* the issue is with the gen_file and sid_file; but my config looks ok.

config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config reference_file:      /etc/snort/reference.config
config sid_file:            /etc/snort/sid-msg.map
input unified2
output alert_fast: stdout
output database: log, mysql, user=snort xxxxxxxxxxxxxxxxxxxxxx


Both the *.map files look right and have the text for the alerts im seeing.

Is it better practice to use the -S and -G options?


Thanks!

-jp

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager Applications Manager provides deep 
performance insights into multiple tiers of your business applications. It resolves application problems quickly and 
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!