Hi Kurt,
This is not the snort fast output what you have in there, but the
snort full one (or something similar). Maybe barnyard is messing
things around..
Try configuring ossec to read it as "snort-full" instead of
"snort-fast" to see if it works (it should). Just change the
log_format for the alert file to be:
<log_format>snort-full</log_format>
The snort-fast is a one event per line log, like that:
01/13-14:55:40.175329 [**] [1:1420:11] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
10.10.100.1:61962 -> 10.10.100.2:162
Let us know if it works or not..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 11/14/06, Kurt <[EMAIL PROTECTED]> wrote:
Ok. I was using that test rule to illustrate my point, but in the interest of
not getting issues mixed up, here is the same point illustrated with properly
configured Snort/Barnyard/OSSEC:
Here are two alerts from the Snort fast.alert file:
------------------------------------------------------------------------
10/31/06-04:20:48.597375 {TCP} 10.11.10.23:15104 -> 10.7.3.11:139
[**] [1:250:4] DDOS mstream handler to client [**]
[Classification: Attempted Denial of Service] [Priority: 2]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138]
------------------------------------------------------------------------
10/31/06-08:59:46.876833 {TCP} 207.99.46.25:80 -> 10.11.10.23:16273
[**] [1:8443:1] WEB-CLIENT Mozilla regular expression heap corruption attempt
[**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
[Xref => http://www.securityfocus.com/bid/20042]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4566]
------------------------------------------------------------------------
And here are those alerts as picked up by OSSEC:
** Alert 1163192895.15466:
2006 Oct 31 04:20:50 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:250:4] DDOS mstream handler to client [**]
** Alert 1163192895.15668:
2006 Oct 31 08:59:51 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:8443:1] WEB-CLIENT Mozilla regular expression heap corruption attempt
[**]
OSSEC is apparently not picking up the source IP, and from what I can tell from
the Snort decoder file, it is also supposed to be picking up the destination
IP, is that correct?
Kurt
perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print"
-----
Society doesn't understand me and technology fears me.
----- Original Message ----
From: Will Metcalf <[EMAIL PROTECTED]>
To: [email protected]
Sent: Tuesday, November 14, 2006 7:43:19 AM
Subject: [ossec-list] Re: Snort Decoder
if you are adding rules you need to update sid-msg.map, look at the
file it isn't that complicated. If you want to map alerts from the
decoder/preprocs you need to point barnyard to your gen-msg.map.....
Regards,
Will
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
