Snort Alert [3:16408:0] <- Incorrect Name

BASE-user
kryptikET
2010-07-26
2013-06-03
  • kryptikET
    kryptikET
    2010-07-26

    Just updated to Snort 2.8.6, Base 1.4.5.  Use oinkmaster to update signatures, use create-sidmap.pl to create sidmap and barnyard to upload from sensors to base mysql db.

    Barnyard called w/
    /usr/local/bin/barnyard -D -c /etc/snort/barnyard.conf -d /var/log/snort -s /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p /etc/snort/classification.config -w /etc/snort/barnyard.bookmark -n -X /var/run/barnyard.pid -f snort_unified.log

    ~$ grep 16408 /etc/snort/sid-msg.map
    16408 || DOS Microsoft Windows TCP SACK invalid range denial of service attempt || url,www.microsoft.com/technet/security/bulletin/MS10-009.mspx || cve,2010-0242

    Even though the sids are defined in sid-msg.map and barnyard is pointing to sid-msg.map in its start up, base is still showing:
    Snort Alert  attempted-dos  as the alert name.

    Does anyone have any ideas?

     
  • Will Urbanski
    Will Urbanski
    2010-07-28

    Hi! Please check your `alerts` table in the database to ensure that the signature name is being populated there by BY. I suspect that BY is not correctly reading the sid-msg.map.