Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Triggered Signature shows numbers only

BASE-user
cbdavis
2008-01-28
2013-06-03
  • cbdavis
    cbdavis
    2008-01-28

    When I look at an alert in BASE I only see a number in the Triggered Signature section. I am not sure why I am not seeing a snort link and text of the actual alert? This was happening with Snort directing sending to mysql so I added barnyard and that made no difference. I am now back to use just Snort to mysql and a snortsam plugin. I have dropped the database and recreated it without any luck either and now am out of ideas.

     
    • kryptikET
      kryptikET
      2008-01-29

      cbdavis,

      I've seen the same results (number only) when the sid-msg.map file isn't in the /etc/snort directory.  When using barnyard, you need to reference it via the cmd line or barnyard config file.  You should also make sure the gen-msg.map file is referenced.

      From barnyard.conf
      config sid-msg-map: /etc/snort/sid-msg.map
      config gen-msg-map: /etc/snort/gen-msg.map

      barnyard via cmd line
      /usr/local/bin/barnyard -D -c /etc/snort/barnyard.conf -d /var/log/snort -s /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -w /etc/snort/barnyard.bookmark -n -X /var/run/barnyard.pid -f snort_unified.log

      The above cmd line has the following options:
      -D = daemon mode
      -c = barnyard config file
      -d = log file directory
      -s = sid-msg.map location
      -g = gen-msg.map location
      -p = classification.config location
      -w = barnyard bookmark (for resuming barnyard operations) location
      -n = Only process new events
      -X = Process ID (pid) file location
      -f = log file to process name

      hope this helps.

       
    • cbdavis
      cbdavis
      2008-01-29

      Thanks for the reply. I am not using Barnyard. I have installed it and used it to see if I could fix the problem, but even with Barnyard installed I had the same results.

      /etc/snort/sid-msg.map map exists and is world readable:

      -rw-r--r-- 1 snort snort 1553624 2008-01-28 17:11 /etc/snort/sid-msg.map

      The signatures that appear in BASE are always 1,2,3 or 4. Those numbers don't even exist in the sid-msg.map. The do however exist in mysql table signature as the auto_increment sid_id:

      mysql> select * from signature;
      +--------+-----------------------------------------------+--------------+--------------+---------+---------+---------+
      | sig_id | sig_name                                      | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid |
      +--------+-----------------------------------------------+--------------+--------------+---------+---------+---------+
      |      1 | (http_inspect) DOUBLE DECODING ATTACK         |            0 |            3 |       1 |       2 |     119 |
      |      2 | (http_inspect) OVERSIZE REQUEST-URI DIRECTORY |            0 |            3 |       1 |      15 |     119 |
      |      3 | (http_inspect) IIS UNICODE CODEPOINT ENCODING |            0 |            3 |       1 |       7 |     119 |
      |      4 | (http_inspect) BARE BYTE UNICODE ENCODING     |            0 |            3 |       1 |       4 |     119 |
      +--------+-----------------------------------------------+--------------+--------------+---------+---------+---------+
      4 rows in set (0.00 sec)

      How do they get into the signature table? Should they all be there, are the supposed to be posted there when snort inserts to mysql? Should snort be putting a different sig_id there? I am unsure if I should be looking at BASE as the problem or at snort as not inserting the correct into into mysql?

       
    • Hello,

      an alert is identified not just by one number, but by a combination of, what is called in table "signature" "sig_gid"
      AND "sig_sid". For example "119:4" (generator id:snort id).

      Cf. /etc/snort/gen-msg.map, /etc/snort/generators.

      /etc/snort/sid-msg.map contains snort id's for generator no. 1 only, i.e.
      the one that checks the rules.

      Cf. the logfiles: they talk about "119:4:1", for example).

      "sig_id" is opposedly something internal that differs from sensor to sensor and depends on what kind of alert came first.

      And yes, the query result that you have posted looks quite normal.

      Now your problem is similar to the one in thread "No Data in Alerts section of Base". So this is going to be difficult, as we haven't found a solution, yet.

      First off, what does the following query return?
      mysql> select encoding from sensor;

      Second, could you download, install and try the CVS version of BASE? So that we can exclude those bugs that we have already found.

      If the CVS version of BASE does NOT solve your problem, could you please upload a screenshot of your BASE screen to www.screenshots.cc, or to any pastebin site.

      Is there anything useful in error_log or ssl_error_log of your web server?

      And then please enable debug mode in base_conf.php:

              $debug_mode = 1;

      and post the whole output here on this site, even if it is long. Maybe this reveals what makes BASE bail out
      on your system.

      Bye, bye

      Juergen