Snort alert is logged with the sid instead of the msg field
988 views
Skip to first unread message
jonna_983
May 8, 2014, 12:16:33 PM5/8/14
to securit...@googlegroups.com
I am adding a new rule based on this guide:
https://code.google.com/p/security-onion/wiki/AddingLocalRules
https://code.google.com/p/security-onion/wiki/AddingLocalRules
The rule is in the following form:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"<My message>"; content:"<my content>"; sid: <mysid>;)
The alert is triggered, but is logged as 'Snort Alert [1:<mysid>:0]' at sguil and the securityonion_db database, instead of being logged as the alert's message ('<My message>').
Any clues?
Thanks,
jonna_983
jonna_983
May 8, 2014, 12:44:48 PM5/8/14
to securit...@googlegroups.com
The problem was solved by choosing a more 'reasonable' sid (previous sid was '5000005')
jonna_983
May 20, 2014, 12:34:26 PM5/20/14
to securit...@googlegroups.com
On Thursday, 8 May 2014 17:16:33 UTC+1, jonna_983 wrote:
So, apparently, the problem is happening again, even for an sid in the non-custom range.
Any ideas?
Thanks,
jonna_983
Kevin Branch
May 20, 2014, 3:34:58 PM5/20/14
to securit...@googlegroups.com
Jonna,
"Snort Alert" is the generic name that barnyard2 puts on database and
syslog records when it can't find an the event's sid in
/etc/nsm/rules/sid-msg.map. Is your sid in that file now? Are you
using Snorby or ELSA? Does the misnamed alert show up as "Snort Alert"
there, too? I don't know if barnyard2 sends the sid name when using the
sguil output plugin or if sguild handles looking up the name on it's end.
I believe that pulledpork.pl is responsible for generating a fresh copy
of sid-msg.map every time you run rule-update. The rule-update script
also restarts all barnyard2 instances so that the new version of
sid-msg.map is read in.
Kevin
"Snort Alert" is the generic name that barnyard2 puts on database and
syslog records when it can't find an the event's sid in
/etc/nsm/rules/sid-msg.map. Is your sid in that file now? Are you
using Snorby or ELSA? Does the misnamed alert show up as "Snort Alert"
there, too? I don't know if barnyard2 sends the sid name when using the
sguil output plugin or if sguild handles looking up the name on it's end.
I believe that pulledpork.pl is responsible for generating a fresh copy
of sid-msg.map every time you run rule-update. The rule-update script
also restarts all barnyard2 instances so that the new version of
sid-msg.map is read in.
Kevin
Ioannou Georgios
May 21, 2014, 7:25:48 AM5/21/14
to securit...@googlegroups.com
Correction:
Actually here is the case: I am trying to configure 3 custom rules.
All 3 rules' signatures are populated properly in both secyrityonion_db and sguil, so my main problem is fixed.
With regards to Snorby:
1 of the rules populates its event signature properly in Snorby, the other 2o don't.2014-05-21 12:13 GMT+01:00 Ioannou Georgios <gioan...@gmail.com>:
Thanks very much!After testing the rules again, the correct signature now appears in the event table within securityonion_db as well as in sguil.Hi Kevin,I have updated the sid-msg.map file, the custom rules now appear within the file (I thought rules were updated by restarting nsm service?).
It does still appear as [Snort Alert....] in Snorby (is this normal?), but I don't really care about that at the moment.
--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/1tSEq2xycMI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Ioannou Georgios
May 21, 2014, 7:13:27 AM5/21/14
to securit...@googlegroups.com
Hi Kevin,
I have updated the sid-msg.map file, the custom rules now appear within the file (I thought rules were updated by restarting nsm service?).It does still appear as [Snort Alert....] in Snorby (is this normal?), but I don't really care about that at the moment.
2014-05-20 20:34 GMT+01:00 Kevin Branch <branchnet...@gmail.com>:
Heine Lysemose
May 21, 2014, 9:26:18 AM5/21/14
to securit...@googlegroups.com
Hi
On Wed, May 21, 2014 at 1:13 PM, Ioannou Georgios <gioan...@gmail.com> wrote:
Hi Kevin,I have updated the sid-msg.map file, the custom rules now appear within the file (I thought rules were updated by restarting nsm service?).
No, you have to run sudo rule-update to get sid-msg.map updated and afterwards it restarts Snort/Suricate and Barnyard2 to get them read in the new info
After testing the rules again, the correct signature now appears in the event table within securityonion_db as well as in sguil.
It does still appear as [Snort Alert....] in Snorby (is this normal?), but I don't really care about that at the moment.
Only new events will have the correct info. Snorby doesn't process old events in the database
Thanks very much!
Regards,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
jonna_983
May 23, 2014, 7:51:06 AM5/23/14
to securit...@googlegroups.com
Thanks for the info Lysemose.
jonna_983
Reply all
Reply to author
Forward
0 new messages