SourceForge has been redesigned. Learn more.

Triggered Signature shows numbers only

  • cbdavis

    cbdavis - 2008-01-28

    When I look at an alert in BASE I only see a number in the Triggered Signature section. I am not sure why I am not seeing a snort link and text of the actual alert? This was happening with Snort directing sending to mysql so I added barnyard and that made no difference. I am now back to use just Snort to mysql and a snortsam plugin. I have dropped the database and recreated it without any luck either and now am out of ideas.

    • kryptikET

      kryptikET - 2008-01-29


      I've seen the same results (number only) when the file isn't in the /etc/snort directory.  When using barnyard, you need to reference it via the cmd line or barnyard config file.  You should also make sure the file is referenced.

      From barnyard.conf
      config sid-msg-map: /etc/snort/
      config gen-msg-map: /etc/snort/

      barnyard via cmd line
      /usr/local/bin/barnyard -D -c /etc/snort/barnyard.conf -d /var/log/snort -s /etc/snort/ -g /etc/snort/ -p /etc/snort/classification.config -w /etc/snort/barnyard.bookmark -n -X /var/run/ -f snort_unified.log

      The above cmd line has the following options:
      -D = daemon mode
      -c = barnyard config file
      -d = log file directory
      -s = location
      -g = location
      -p = classification.config location
      -w = barnyard bookmark (for resuming barnyard operations) location
      -n = Only process new events
      -X = Process ID (pid) file location
      -f = log file to process name

      hope this helps.

    • cbdavis

      cbdavis - 2008-01-29

      Thanks for the reply. I am not using Barnyard. I have installed it and used it to see if I could fix the problem, but even with Barnyard installed I had the same results.

      /etc/snort/ map exists and is world readable:

      -rw-r--r-- 1 snort snort 1553624 2008-01-28 17:11 /etc/snort/

      The signatures that appear in BASE are always 1,2,3 or 4. Those numbers don't even exist in the The do however exist in mysql table signature as the auto_increment sid_id:

      mysql> select * from signature;
      | sig_id | sig_name                                      | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid |
      |      1 | (http_inspect) DOUBLE DECODING ATTACK         |            0 |            3 |       1 |       2 |     119 |
      |      2 | (http_inspect) OVERSIZE REQUEST-URI DIRECTORY |            0 |            3 |       1 |      15 |     119 |
      |      3 | (http_inspect) IIS UNICODE CODEPOINT ENCODING |            0 |            3 |       1 |       7 |     119 |
      |      4 | (http_inspect) BARE BYTE UNICODE ENCODING     |            0 |            3 |       1 |       4 |     119 |
      4 rows in set (0.00 sec)

      How do they get into the signature table? Should they all be there, are the supposed to be posted there when snort inserts to mysql? Should snort be putting a different sig_id there? I am unsure if I should be looking at BASE as the problem or at snort as not inserting the correct into into mysql?

    • Juergen Leising

      Juergen Leising - 2008-01-29


      an alert is identified not just by one number, but by a combination of, what is called in table "signature" "sig_gid"
      AND "sig_sid". For example "119:4" (generator id:snort id).

      Cf. /etc/snort/, /etc/snort/generators.

      /etc/snort/ contains snort id's for generator no. 1 only, i.e.
      the one that checks the rules.

      Cf. the logfiles: they talk about "119:4:1", for example).

      "sig_id" is opposedly something internal that differs from sensor to sensor and depends on what kind of alert came first.

      And yes, the query result that you have posted looks quite normal.

      Now your problem is similar to the one in thread "No Data in Alerts section of Base". So this is going to be difficult, as we haven't found a solution, yet.

      First off, what does the following query return?
      mysql> select encoding from sensor;

      Second, could you download, install and try the CVS version of BASE? So that we can exclude those bugs that we have already found.

      If the CVS version of BASE does NOT solve your problem, could you please upload a screenshot of your BASE screen to, or to any pastebin site.

      Is there anything useful in error_log or ssl_error_log of your web server?

      And then please enable debug mode in base_conf.php:

              $debug_mode = 1;

      and post the whole output here on this site, even if it is long. Maybe this reveals what makes BASE bail out
      on your system.

      Bye, bye



Log in to post a comment.