[ossec-list] Re: Snort Decoder

Tue, 14 Nov 2006 09:31:11 -0800 

Ok. I was using that test rule to illustrate my point, but in the interest of 
not getting issues mixed up, here is the same point illustrated with properly 
configured Snort/Barnyard/OSSEC:

Here are two alerts from the Snort fast.alert file:
------------------------------------------------------------------------
10/31/06-04:20:48.597375 {TCP} 10.11.10.23:15104 -> 10.7.3.11:139
[**] [1:250:4] DDOS mstream handler to client [**]
[Classification: Attempted Denial of Service] [Priority: 2]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138]
------------------------------------------------------------------------
10/31/06-08:59:46.876833 {TCP} 207.99.46.25:80 -> 10.11.10.23:16273
[**] [1:8443:1] WEB-CLIENT Mozilla regular expression heap corruption attempt 
[**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
[Xref => http://www.securityfocus.com/bid/20042]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4566]
------------------------------------------------------------------------

And here are those alerts as picked up by OSSEC:
** Alert 1163192895.15466:
2006 Oct 31 04:20:50 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:250:4] DDOS mstream handler to client [**]

** Alert 1163192895.15668:
2006 Oct 31 08:59:51 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:8443:1] WEB-CLIENT Mozilla regular expression heap corruption attempt 
[**]

OSSEC is apparently not picking up the source IP, and from what I can tell from 
the Snort decoder file, it is also supposed to be picking up the destination 
IP, is that correct?

Kurt
perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print"
-----
Society doesn't understand me and technology fears me.

----- Original Message ----
From: Will Metcalf <[EMAIL PROTECTED]>
To: [email protected]
Sent: Tuesday, November 14, 2006 7:43:19 AM
Subject: [ossec-list] Re: Snort Decoder


if you are adding rules you need to update sid-msg.map, look at the
file it isn't that complicated.  If you want to map alerts from the
decoder/preprocs  you need to point barnyard to your gen-msg.map.....

Regards,

Will





 
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

Reply via email to