How is Severity Level determined in Snorby?

[Richard Fox]

Hi,

I have an issue with Severity levels in Snorby. I found this post
that says you just need to change classification.conf

http://groups.google.com/group/snorby/browse_thread/thread/b58b7caff78dfbb3/caf80e0d1e821f38?lnk=gst&q=classification#caf80e0d1e821f38

I want to change policy-violation to 3 and have changed it in every
classification.conf file I found on SO and restarted SO but Snorby is
still adding them to High Severity.

Any ideas what I need change?

Thanks,
Richard

[Scott Runnels]

Hi Richard,

Have you check the actual alert you are attempting to reclassify? If the alert hardcodes a priority it will override the configuration in classification.config no matter what the "classtype:" is for the rule. I would suggest grepping the rules file for the specific rule you're interested in and looking for the field "priority:"

Thanks
Scott Runnels

At Fri, 20 Jan 2012 14:13:07 -0800 (PST),

[Richard Fox]

Thanks for the help,
I checked that priority was not on the rule so as a way to test I
added it.

alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client
Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |
22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |
22|"; distance:0; threshold:type limit, count 1, seconds 3600, track
by_src; classtype:policy-violation; priority:3; sid:2012648; rev:3;)

It still shows under Severity 1 (High Severity). Ok, so I figured I
could change it to a different classtype that is already low, I did
that and the alert show under High Severity again!

alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client
Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |
22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |
22|"; distance:0; threshold:type limit, count 1, seconds 3600, track
by_src; classtype:misc-activity; sid:2012648; rev:3;)

Any ideas?

On Jan 20, 11:19 pm, Scott Runnels <srunn...@gmail.com> wrote:
> Hi Richard,
>
> Have you check the actual alert you are attempting to reclassify?  If the alert hardcodes a priority it will override the configuration in classification.config no matter what the "classtype:" is for the rule.  I would suggest grepping the rules file for the specific rule you're interested in and looking for the field "priority:"
>
> Thanks
> Scott Runnels
>
> At Fri, 20 Jan 2012 14:13:07 -0800 (PST),
>
>
>
>
>
>
>
> Richard Fox wrote:
>
> > Hi,
>
> > I have an issue with Severity levels in Snorby.  I found this post
> > that says you just need to change classification.conf
>

> >http://groups.google.com/group/snorby/browse_thread/thread/b58b7caff7...

[Richard Fox]

I am out of ideas, I loaded a fresh install of SO can still can not
change the Severity of the alerts. Am I the only one having this
problem?

[Scott Runnels]

Hi Richard,

I spun a VM to test this and noticed the same issue you described.  Here's what I did to replicate, let me know if it seems very different than what you're seeing. 

1. Create a custom rule in /etc/nsm/rules/local.rules - This rule did not have a defined classtype or priority. 
2. Run /usr/loca/bin/pulledpork_update.sh to update the ruleset and restart snorby.
3. Generated a packet to kickoff my custom alert with scapy.
4. Since the custom rule did not have a defined classtype or priority it was reported by snorby without a priority. 
5. I then made changes to both the priority and the classtype
6. Ran /usr/local/bin/pulledpork_update.sh again
7. Generated another packet to kick off the alert.  Again, it was reported with no priority. 

It didn't matter how I went about changing the classtype or priority. 

From there, I took a look at the snorby database. 
   mysql -uroot -Dsnorby

There is a column in snorby.signature that indicates the priority(sig_priority).  When queried, the priority for my custom rule was set to NULL.  My working theory is the first time the signature is seen by snorby, it insert's into snorby.signature and sets the priority.  However, I'm not sure if there is a codified method to update the severity of an alert already in the db. 

I had to manually update the value with:
mysql -N -B -uroot -Dsnorby -e "UPDATE signature SET sig_priority=1 WHERE sig_sid = 9000547;"

You can check the sig_priority with:
mysql -N -B -uroot -Dsnorby -e "SELECT sig_id, sig_name, sig_priority, sig_sid FROM signature WHERE sig_sid=9000547;"
1    Vote for Security Onion Toolsmith Tool of 2011!    1    9000547

Let me know if I can do anything more

v/r
Scott

--
Scott Runnels

[Richard Fox]

You are awesome!!! - I used the your command to change the Severity
and now it is working.
mysql -N -B -uroot -Dsnorby -e "UPDATE signature SET sig_priority = 3
WHERE sig_sid=2012648;"

Thanks again!

On Jan 25, 11:10 pm, Scott Runnels <srunn...@gmail.com> wrote:
> Hi Richard,
>

[Scott Runnels]

Richard,

For future use, I did some asking around in #snorby and if you update the "rev:" of the alert, it should update to the new priority/classtype the next time snorby sees it.  I tested this in my VM and it holds true. 

I would note that the changes you make by hand to an existing alert (an alert NOT in local.rules) will likely get overwritten the next time pulledpork runs (7:01 nightly).  You can use pulledpork to edit the alert or you can disable the sid of the alert and create a new one in local.rules with the appropriate priority/classtype.

v/r
Scott

--
Scott Runnels

[Doug Burks]

Thanks for tracking this down, Scott!

One minor correction: pulledpork runs at 7:01 AM UTC.

Thanks,
Doug

--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Please vote for Security Onion for 2011 Toolsmith Tool of the Year! |
http://goo.gl/PwTDi

[Scott Runnels]

Whoops!  Thanks for correcting that. 

--
Scott Runnels

[Markie Dee]

I did this database update and it worked. but now the alerts show up in snorby like this :

Snort Alert [1:2012889:2]

[Doug Burks]

Hi Markie,

Take a look at the barnyard log file(s) in
/var/log/nsm/HOSTNAME-INTERFACE/. They should tell you what happened
and what you need to do to correct.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Markie Dee]

Thank you for the fast reply Doug, I am understanding this more each day. I have found how to manually fix the database, but i want to change the severity in snorby front end the RIGHT way from now on. I will examine those logs and find out what actually maps that sig_name so that i can update alerts going forward the right way. I think i am needing to disable the downloaded rule and re-make it as a local rule with a different priority. THEN by2 will put it in the databse with a different mapping? man im still confused but i am getting there. Thank you!

[Markie Dee]

edit:...ooooHHH this log is NOICE!

[Doug Burks]

You can either disable the rule and add it as a local rule OR have
PulledPork rewrite the signature on-the-fly:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts

[Ángel Franco]

Hi Doug,

I cannot find /usr/loca/bin/pulledpork_update.sh, how can I update the ruleset and restart snorby? The solution from Scott Runnels worked for me but the count on the dashboard stills showing 11 instead of 2 (due after the DB update it should display 2 priority 1 events)

[Wes]

Angel,

Please start a new thread instead of replying to an old one.
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#questionsproblems

Thanks,
Wes