[Secureideas-base-devel] events from non-default generator
Brought to you by:
secureideas,
sinukas
From: Michal M. <mi...@tr...> - 2005-04-30 01:13:48
|
Hello. I found a problem most of you are probably aware of. Sorry if it has been discussed before but it hasn't been fixed and I might have an idea how to fix it and I can code it if you agree on the fix. Some alerts have broken link to the Snort alert describing DB. These alerts are 'unusual', that is they aren't the result of the simple pattern match. The only visible effect of the issue are those broken links but it may be more widespread although I haven't really checked. The reason why I'm afraid it may be more serious is that the alerts are tied to the signature table which misses some information. In this table I'd expect the field sig_sid would be natural primary key because it's directly used to generate the link to the Snort description DB. Because it works on one place I am woried about it being used similarly wrongly somewhere else. The issue stems directly from Snort. Some alerts come from preprocessors and not from the usual snort pattern matcher. Snort internally identifies the alerts with gen_id, sig_id pair, and that's correct. When logging (at least with the DB output pluggin) it doesn't directly store the gen_id subkey. As can be guessed gen_id is 'generator id' and it's identification of some internal Snort engine (value 1 is for the normal pattern matcher, other values are for different preprocessors). I can see two solutions: One involves modifying Snort (it's DB output plugin at least) to log also gen_id. This will change the DB schema and possibly format of log records and this would in turn cause some 3rd party software to become at least partially incompatible. That solution seems to be the right one but is probably going to be difficult for us to achieve. The other may be done within BASE but it would need to get a little data from a new external source. Fortunately the developers of Snort are probably aware of the problem and chose the description of the signature to contain the identification of the preprocessor which generated the alert. The format is either general text for pattern matcher or 'the_name_of_the_preprocessor: general text' for other generators. If we had a table with the identification of the preprocessors and their gen_id's we would be able to 'reconstruct' the gen_id and thus construct the correct link to the Snort description DB and possibly do something more with the info (select alerts based on preprocessor or whatever). The only problem with this solution is where to get the contents of the table. AFAIK it isn't in the DB ATM. On the other hand this isn't a table which changes often so we might as well fill it during the installation of BASE. At worst we might miss some new preprocessor. What do you think? Michal |