Re: Question for the experts

Paul Schmehl wrote:
> We're getting the following alerts from an instance of snort that is 
> using barnyard to feed mysql (FreeBSD - snort 2.1.3 - barnyard  0.2.0 - 
> mysql 3.23.58.
>
> bash-2.05b# grep output /usr/local/etc/snort_special.conf | grep -v "#"
> output log_unified: filename snort_special.log, limit 128
>
> bash-2.05b# grep output /usr/local/etc/barnyard.conf | grep -v "#"
> output log_acid_db: mysql, database snort_special, server localhost, 
> user user, password password, detail full
>
> Alert number                   Priority:sid:rev    Most recent alert 
> Source IP
> Dest IP  Protocol
>
> #0-(1-691753) [snort] Snort Alert [1:2147483647:0] 2004-11-04 23:06:42 
> 129.110.20.1:143 24.1.206.36:3918 TCP
>
> #1-(1-691754) [snort] Snort Alert [1:2147483647:0] 2004-11-04 23:07:01 
> 129.110.20.1:143 24.1.206.36:3918 TCP
>
> #2-(1-691755) [snort] Snort Alert [1:2147483647:0] 2004-11-04 23:07:55 
> 129.110.10.12:41341 206.16.192.227:25 TCP
>
> After examining the payloads, it was determined that these were 
> triggered by an alert we wrote yesterday.
>
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg: "DMCA Violation - 
> Still Standing"; classtype: misc-activity; content: 
> "still.standing.s03e06.hdtv-lol"; sid: 10000000033; rev: 1;)
>
> The alert *is* in the sid-msg.map.
>
> bash-2.05b# grep 10000000033 /usr/local/share/snort/sid-msg_special.map
> 10000000033 || DMCA Violation - Still Standing

Is that supposed to be 10 billion?  The maximum value for a sid is a 
signed 32 but integer (thus the 2 billion value lists above).  Snort 
does not range check the sid value so you will not get an error if it 
out of bounds.  Try reducing the sid value down to a more reasonable number.

-A


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click