Re: [Sguil-users] sguil rules mismatch
Status: Beta
Brought to you by:
bamm
From: Bamm V. <bam...@gm...> - 2008-02-04 19:33:54
|
No, your tinkering with the DB has not affected anything. Sguild does not use the DB to find rule information. It reads the actual text rule files and searches for a regexp match. Sometimes that match can return more than one result when rules have the same or similar alert messages. Sguild will return the first match when this happens, which could be the wrong match. The fix searches by sid. Sguil 0.7.0 will be out when the documentation gets finished. I've just been having a hard time making the time to do that. On Feb 4, 2008 12:23 PM, Ryan Dabbieri <rya...@gm...> wrote: > Bamm, > > Thanks for the response. Yes, I am using sguil client 0.6.1 on a windows > machine. I'm not sure what version of the sguil server/daemon I'm using as > it came with a packaged version of slackware I got from se...@wh... > (Guy Bruneau). > > When is the next version of sguil expected? I guess that my tinkering with > the database directly is causing the problem. Can you suggest a better way > to clean up the database so that sguil will still work properly? > > By the way, I am loving sguil. I originally had intended to load both sguil > and base on the IDS, but after playing around with sguil for a bit I think > I'm a convert. > > Thanks! > Ryan > > > > > > On Feb 1, 2008 10:22 AM, Bamm Visscher <bam...@gm...> wrote: > > > I assume you are using Sguil version 0.6.1. This is a known bug that > > was fixed in CVS and will appear in the next release. In 0.6.1, rules > > are searched via a regexp for the event message now they are searched > > based on the sid. My plan is to one day create some type of rule > > management with rules in the DB, I just haven't gotten there yet. > > > > Bammkkkk > > > > > > > > > > > > On Feb 1, 2008 8:04 AM, Ryan Dabbieri <rya...@gm...> wrote: > > > In the rules window of sguil, I get a message where it says "unable to > find > > > matching rule in /usr/local/snort/rules." I can find the info in the > mysql > > > database fine, and it returns the correct SID. With every rules update > I > > > run the create-sidmap.pl to generate the correct sid-msg.map file, and I > am > > > able to find the corresponding SID and message map. > > > > > > The other issue I have is, with some packets where the rules window does > > > return something, the "Event Message" does not match what's in the rules > > > window. For example, I have a packet that matches sid 384 and the > "Event > > > Message" of the packet shows "ICMP Ping". But in the rules window, it > > > shows: > > > alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ICMP PING > IPTools"; > > > itype: 8; icode: 0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 > A7 > > > A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 > A7 > > > A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 > A7|"; > > > depth: 64; reference:url,www.ks-soft.net/ip-tools.eng; classtype: > > > misc-activity; reference:url,www.ks-soft.net/ip-tools.eng/index.htm; > sid: > > > 2000575; rev:5;) > > > /usr/local/snort/rules/bleeding-scan.rules: Line 63 > > > > > > Has anyone experienced a similar problems? > > > > > > I'm still a relative novice with snort, sguil, mysql, etc. Some points > that > > > may help determine what's going on. > > > I created a local rule in local.rules with SID 1500000 to pass a subset > of > > > the packets that would be triggered by 2000575 (Packets that are ok and > I > > > don't want to be alerted to). > > > I then deleted some of the rows in the mysql database with commands such > as > > > "remove from event where event.signature_sid = '2000575'; > > > I am using the -o option with snort so the pass rules will take > precedence. > > > Finally, I restarted snort after running the create-sidmap.pl script. > > > > > > Does anyone have any ideas on how I may have mucked things up and what I > can > > > do to fix things? > > > > > > Thanks! > > > Ryan > > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Sguil-users mailing list > > > Sgu...@li... > > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > > > > > > > > > > -- > > sguil - The Analyst Console for NSM > > http://sguil.sf.net > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Sguil-users mailing list > > Sgu...@li... > > https://lists.sourceforge.net/lists/listinfo/sguil-users > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > > -- sguil - The Analyst Console for NSM http://sguil.sf.net |