barnyard2 getting "snort Alert[x.x.xxxx]" instead of signature name

[Jonathon Wright]

BY2 group,

 

I know, the subject sounds like a dead horse is still getting beaten, but its not (I hope).

 

The typical solution to this problem is to simply restart barnyard2 to allow it to re-read the sid-msg.map into memory, as well as ensuring that the snort alert in question has the sid and msg in the sid-msg.map file. However, the sid-msg.map has the sid and msg in the sid-msg.map and the barnyard2 daemon (continuous with bookmarking) has been restarted successfully.

 

So what changed and why now?

That's easy, I upgraded barnyard2 from 2.1.9 to 2.1.13 (build  333) and ever since then, this problem (subject line) has occurred.

 

Here's the servers (Red Hat Enterprise Linux 6.5) environment:

 

barnyard2 built from source using (which used the same './configure' options as used before, see below):

 

# ./autogen.sh
# ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
# make
# make install 

 

The barnyard2.conf, reference.config, classification.config, gen-msg.map, sid-msg.map that were used when 2.1.9 was installed were reused.

I remember reading something about 2.1.13 now supporting a version 2 of the sid-msg.map, perhaps that is where the problem lies?

 

Let me know if you need any further information, thanks.

 

JW

[beenph]

Hi Jonathon,
Which sid and gid and revision is concerned?

Snort Alert [gid,sid,revision]

What is returned when you query your database for the tuple in the
signature table?

-elz

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "barnyard2-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to barnyard2-use...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jonas Turner]

I too have been on version 2.1.13 since I build my NIDS.  I used to have this issue a lot, still do from time to time depending on my rules and when they are updated.  It doesn't happen as often anymore...but I just run a command to update my DB with the correct name and move on.  I know it's not the correct way, but I don't have time to troubleshoot my side. :(

mysql -N -B -uroot -pSOMEPASSWORD -Dsnorby -e "UPDATE signature SET sig_name='ET POLICY Windows-Based OpenSSL Tunnel Outbound' WHERE sig_sid='2012078';"

[Jonathon Wright]

Hey Eric,

 

They are custom sids, so the numbers themselves may not help. In any case, here they are:

Snort Alert [1:1000548:0] 
Snort Alert [1:1001156:0] 
Snort Alert [1:1002499:0] 
Snort Alert [1:1002529:0] 
Snort Alert [1:1002530:0]

 

For the query (I just did the first one):

+--------+----------------------------------------------------+--------------+--------------+---------+---------+---------+
| sig_id | sig_name                                           | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid |
+--------+----------------------------------------------------+--------------+--------------+---------+---------+---------+
|   1699 | http.ANY_Executable_Download [Suspicious Download] |            0 |            0 |       0 | 1000548 |    NULL |
|   2999 | http.ANY_Executable_Download [Suspicious Download] |            0 |            0 |       7 | 1000548 |       1 |
|   3102 | Snort Alert [1:1000548:0]                          |            0 |         NULL |       7 | 1000548 |       1 |
+--------+----------------------------------------------------+--------------+--------------+---------+---------+---------+
3 rows in set (0.03 sec)

 

I can run the update like Jonas indicated, but I'd rather fix the problem than the symptom.

 

JW

[Jonathon Wright]

Hey Jonas,

 

I just found your post and read it. Eric had some more questions for you at the end, but you didn't respond. There is a difference though between our situations. For example, I'm not using oinkmaster, I'm using my own php scripting to write out the sid-msg.map file from the db.

[beenph]

JW,

2 queries,

DELETE FROM sig_reference WHERE sig_id IN ( SELECT sid_id FROM
signature WHERE sig_rev='0');
DELETE FROM signature WHERE WHERE sig_rev='0';

before executing those queries, stop all by2, then restart them it
should fix this issue.

-elz



On Thu, Jul 17, 2014 at 3:57 PM, Jonathon Wright

[Jonathon Wright]

Hey Elz,

 

Interetsingly enough, no records are in sig_reference. I think I cleared that one out when I upgraded the version. How does that table get populated anyway?

The second one may not be good either:

 

>SELECT count(*) FROM snort.signature where sig_rev=0;

count(*)

----------

1214

 

Not sure I want to delete 1214 rules =)

What are you trying to accomplish with that delete? Is there another way to get to that goal, or are the rules with sig_rev = 0 not really doing anything anyway?

 

Let me know what other queries or information your interested in, but I'ma hold off on removing the rules till your reply.

 

JW

You received this message because you are subscribed to a topic in the Google Groups "barnyard2-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/barnyard2-users/EIiTjTzbBBA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to barnyard2-use...@googlegroups.com.

[beenph]

Well that a gift from old version, if you want things to go smoothly
deleting them will ease the process.
Impact of such command is, depeneds how mutch event you have pointhing
to those signaturee.

Work arround is to replay old unified2 so your data maps.

But unfortunatly yes its a necessary step.


On Thu, Jul 17, 2014 at 7:44 PM, Jonathon Wright

[Jonathon Wright]

 

Okay, I updated the signature records to remove the duplicates, and deleted them from the signature table.

Then I restarted the by2 process. Alerts are coming in, and so far so good, but only time will tell.

[Jonathon Wright]

Alerts are very unpredictable now in the database.

 

For example, I have alerts that fire with NULL signature. Other alerts that enter snort.event have a signature that has no correlating sig_id in the snort.signature table.

I've restarted both snort and by2 successfully, but problem persists.

 

Ideas?

[beenph]

On Mon, Jul 21, 2014 at 8:34 PM, Jonathon Wright
<jonathon...@gmail.com> wrote:
> Alerts are very unpredictable now in the database.
>
> For example, I have alerts that fire with NULL signature. Other alerts that
> enter snort.event have a signature that has no correlating sig_id in the
> snort.signature table.
> I've restarted both snort and by2 successfully, but problem persists.
>
> Ideas?

Your questions is a bit unclear. Is this comming from your UI or from barnyard2?
Do you have exact log message that you get? etc

If its from your UI mabey you should delete your old data before you
"executed" the delete
in the sig table or as i suggested, replay old u2 files.

I will wait until you tell us whats concerned before going further.

-elz

[Jonathon Wright]

It appears those were alerts that weren't being pushed into the snort.event table, but events that were orphaned in the event table after I removed the signatures. I think it should've been like this:

 

>> DELETE FROM sig_reference WHERE sig_id IN ( SELECT sig_id FROM signature WHERE sig_rev='0');
>> DELETE FROM event WHERE signature IN ( SELECT sig_id FROM signature WHERE sig_rev='0');

>> DELETE FROM signature WHERE  WHERE sig_rev='0';

[Mike]

Ah, to cut to the chase: need to empty BOTH the signature AND sig_reference tables.

I've been looking for this answer for two years...  ;-)

thanks Jonathon!

[Jonathon Wright]

NP Mike,

Glad it helped someone!

--

[Zara]

Hi.
Ive a question related to ur post since Ive made some custom rules and their respective sids to test some local rules. Ive snort 2.9.7.2 with barnyard2-1.3 and BASE running .when i run snort in console mode -A  it captures alerts triggered by the local rule and log to snort.log.xxx  file but when i run snort as daemon to log alerts in snort.u2 file then there are no local rule alerts when i open .u2 file with u2spewfoo.???Ive updated my sid-msg.map file as well according to the local rules.
I cant understand that if snort captures alert then y they are not written in unified2 although other alerts are written in unified file but not the alerts of custom rules?????what am i missing?

[My Email]

That's an interesting problem Zara, I'm not sure why it would behave differently between console mode and daemon mode if using the same conf and Sid msg map files.

Unfortunately I'm no longer working with by2 / snort and am unable to test anything at the moment. Hopefully the by2 group will have some experience to share on the issue you're having.

You received this message because you are subscribed to a topic in the Google Groups "barnyard2-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/barnyard2-users/EIiTjTzbBBA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to barnyard2-use...@googlegroups.com.