database mysql_error: Duplicate entry

[s-takehana]

Hi,

I'm using Barnyard2[Version 2.1.13 (Build 327)].

When Barnyard2 was restarted by daily cron, I received error messages from Barnyard2 twice in 4 months.

Error messages

ERROR: database mysql_error: Duplicate entry '536-4' for key 'PRIMARY'
#011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('4555','536','4');]
Fatal Error, Quitting..
Barnyard2 exiting

I've resolved the error by deleting duplicate records.

Please tell me why this duplicate error happens.

Is barnyard2.conf as follows a cause?

barnyard2.conf

output database: log, mysql, user=*** password=*** dbname=db1 host=localhost
output database: log, mysql, user=*** password=*** dbname=db2 host=localhost

[binf]

On Mon, Sep 9, 2013 at 2:25 AM, s-takehana notifications@github.com wrote:

Hi,

I'm using Barnyard2[Version 2.1.13 (Build 327)].

When Barnyard2 was restarted by daily cron, I received error messages from Barnyard2 twice in 4 months.

Error messages

ERROR: database mysql_error: Duplicate entry '536-4' for key 'PRIMARY'

011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('4555','536','4');]

Fatal Error, Quitting.. Barnyard2 exiting

I've resolved the error by deleting duplicate records.

Please tell me why this duplicate error happens.

1. Is your mysql database stoage is InnoDB or MyIASM?
2. Did you upgrade to 2-1.13 from a previous version?

Is barnyard2.conf as follows a cause?

No, shouldn't be a problem.

barnyard2.conf

output database: log, mysql, user=* password=* dbname=db1 host=localhost output database: log, mysql, user=* password=* dbname=db2 host=localhost

— Reply to this email directly or view it on GitHub.

[s-takehana]

Is your mysql database stoage is InnoDB or MyIASM?

MySQL database storage is InnoDB.

Did you upgrade to 2-1.13 from a previous version?

Yes, I upgraded from 2-1.11.

[binf]

On Mon, Sep 9, 2013 at 3:05 AM, s-takehana notifications@github.com wrote:

Is your mysql database stoage is InnoDB or MyIASM?

MySQL database storage is InnoDB.

Did you upgrade to 2-1.13 from a previous version?

Yes, I upgraded from 2-1.11.

Before you upgraded did you read the release notes?

UPGRADE REQUIREMENTS If you are upgrading to barnyard2 2-1.13 (build 327) or above from a previous version and using output database. You will need to delete every row in your sig_reference table. (DELETE FROM sig_reference;) The table will be re-populated at startup, and has no impact on historical data.

— Reply to this email directly or view it on GitHub.

[s-takehana]

Sorry, I overlooked that.

@binf Thank you kindly.

[s-takehana]

Hi @binf,

I've deleted every row in sig_reference table. The issue did not occur.

But the last few days, same issue occurs every restarting Barnyard2. I'm compelled to delete every row in sig_reference table before executing Barnyard2.

I'm executing two Barnyard2 processes below.

Snort(use VRT rules) -> unified2 -> Barnyard2 -> DB1 and DB2 Suricata(use ET PRO rules) -> unified2 -> Barnyard2 -> DB2

This issue happens in DB2. Do you have any information?

[binf]

On Thu, Oct 17, 2013 at 11:05 PM, s-takehana notifications@github.comwrote:

Hi @binf https://github.com/binf,

I've deleted every row in sig_reference table. The issue did not occur.

But the last few days, same issue occurs every restarting Barnyard2. I'm compelled to delete every row in sig_reference table before executing Barnyard2.

I'm executing two Barnyard2 processes below.

Snort(use VRT rules) -> unified2 -> Barnyard2 -> DB1 and DB2 Suricata(use ET PRO rules) -> unified2 -> Barnyard2 -> DB2

This issue happens in DB2.

Do you have any information?

I assume that only your suricata barnyard2 process is affected,

Can you find out which signature is causing the issue in the ET PRO ruleset and extract historical iteration out of it?

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-26569394 .

[binf]

I assume that only your suricata barnyard2 process is affected, Can you find out which signature is causing the issue in the ET PRO ruleset and extract historical iteration out of it?

Hit send before proof reading my self, by "extract historical iteration out of it" i mean identify which rule would have changed and most probably with added/swaped references.

[s-takehana]

cat /var/log/messages | grep "Duplicate entry"

Oct 16 03:32:06 ids barnyard2:suricata[31764]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY'
Oct 17 03:32:07 ids barnyard2:suricata[1247]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY'
Oct 18 03:32:07 ids barnyard2:suricata[3399]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY'
Oct 18 10:06:56 ids barnyard2:suricata[6762]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY'
Oct 18 10:15:26 ids barnyard2:suricata[17277]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY'
Oct 18 10:29:45 ids barnyard2:suricata[2585]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY'

MySQL

mysql> use DB2
mysql> SELECT * FROM sig_reference WHERE sig_id = 732;
+--------+---------+--------+
| sig_id | ref_seq | ref_id |
+--------+---------+--------+
|    732 |       1 |  13620 |
|    732 |       2 |  65615 |
|    732 |       3 |  13457 |
+--------+---------+--------+
3 rows in set (0.00 sec)
mysql> SELECT * FROM reference WHERE ref_id = 13620;
+--------+---------------+-------------------------------+
| ref_id | ref_system_id | ref_tag                       |
+--------+---------------+-------------------------------+
|  13620 |             5 | code.google.com/p/sipvicious/ |
+--------+---------------+-------------------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM reference WHERE ref_id = 65615;
+--------+---------------+-------------------------------------------------------------------+
| ref_id | ref_system_id | ref_tag                                                           |
+--------+---------------+-------------------------------------------------------------------+
|  65615 |             5 | blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html |
+--------+---------------+-------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM reference WHERE ref_id = 13457;
+--------+---------------+---------------------------------+
| ref_id | ref_system_id | ref_tag                         |
+--------+---------------+---------------------------------+
|  13457 |             5 | doc.emergingthreats.net/2011716 |
+--------+---------------+---------------------------------+
1 row in set (0.00 sec)
mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 732;
+-----------------------------------------------------------+---------+---------+---------+
| sig_name                                                  | sig_rev | sig_sid | sig_gid |
+-----------------------------------------------------------+---------+---------+---------+
| ET SCAN Sipvicious User-Agent Detected (friendly-scanner) |       3 | 2011716 |       1 |
+-----------------------------------------------------------+---------+---------+---------+
1 row in set (0.00 sec)

cat /pathto/suricata/rules/sid-msg.map | grep 2011716

2011716 || ET SCAN Sipvicious User-Agent Detected (friendly-scanner) || url,doc.emergingthreats.net/2011716 || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/

cat /pathto/suricata/rules/scan.rules | grep 2011716

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3;)

History of sig_sid 2011716 http://doc.emergingthreats.net/2011716

I'm updating ET PRO ruleset using Oinkmaster via daily cron. I don't confirm to change the signature from Oinkmaster logs for two weeks.

[binf]

Well it has changed if you look at the rule body and reference file and you look at what was is logged in your database.

You could delete only the following row and it should work again without mutch of an issue.

DELETE FROM sig_reference WHERE sig_id='732' AND ref_seq='ref_seq' AND ref_id='65615';

On Fri, Oct 18, 2013 at 1:30 AM, s-takehana notifications@github.comwrote:

cat /var/log/messages | grep "Duplicate entry"

Oct 16 03:32:06 ids barnyard2:suricata[31764]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 17 03:32:07 ids barnyard2:suricata[1247]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 18 03:32:07 ids barnyard2:suricata[3399]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 18 10:06:56 ids barnyard2:suricata[6762]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 18 10:15:26 ids barnyard2:suricata[17277]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 18 10:29:45 ids barnyard2:suricata[2585]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY'

MySQL

mysql> use DB2 mysql> SELECT * FROM sig_reference WHERE sig_id = 732; +--------+---------+--------+ | sig_id | ref_seq | ref_id | +--------+---------+--------+ | 732 | 1 | 13620 | | 732 | 2 | 65615 | | 732 | 3 | 13457 | +--------+---------+--------+ 3 rows in set (0.00 sec)

mysql> SELECT * FROM reference WHERE ref_id = 13620; +--------+---------------+-------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+-------------------------------+ | 13620 | 5 | code.google.com/p/sipvicious/ | +--------+---------------+-------------------------------+ 1 row in set (0.00 sec)

mysql> SELECT * FROM reference WHERE ref_id = 65615; +--------+---------------+-------------------------------------------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+-------------------------------------------------------------------+ | 65615 | 5 | blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html | +--------+---------------+-------------------------------------------------------------------+ 1 row in set (0.00 sec)

mysql> SELECT * FROM reference WHERE ref_id = 13457; +--------+---------------+---------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+---------------------------------+ | 13457 | 5 | doc.emergingthreats.net/2011716 | +--------+---------------+---------------------------------+ 1 row in set (0.00 sec)

mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 732; +-----------------------------------------------------------+---------+---------+---------+ | sig_name | sig_rev | sig_sid | sig_gid | +-----------------------------------------------------------+---------+---------+---------+ | ET SCAN Sipvicious User-Agent Detected (friendly-scanner) | 3 | 2011716 | 1 | +-----------------------------------------------------------+---------+---------+---------+ 1 row in set (0.00 sec)

cat /pathto/suricata/rules/sid-msg.map | grep 2011716

2011716 || ET SCAN Sipvicious User-Agent Detected (friendly-scanner) || url,doc.emergingthreats.net/2011716 || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/

cat /pathto/suricata/rules/scan.rules | grep 2011716

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3;)

History of sig_sid 2011716 http://doc.emergingthreats.net/2011716

I'm updating ET PRO ruleset using Oinkmaster via daily cron. I don't confirm to change the signature from Oinkmaster logs for two weeks.

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-26573167 .

[binf]

OR you could update the reference tag in the ref table:

UPDATE reference SET ref_tag='blog.sipvicious.org/' WHERE ref_id='65615' AND system_id='5';

and it think the later is the better solution imho.

-elz

On Fri, Oct 18, 2013 at 3:25 AM, beenph beenph@gmail.com wrote:

Well it has changed if you look at the rule body and reference file and you look at what was is logged in your database.

You could delete only the following row and it should work again without mutch of an issue.

DELETE FROM sig_reference WHERE sig_id='732' AND ref_seq='ref_seq' AND ref_id='65615';

On Fri, Oct 18, 2013 at 1:30 AM, s-takehana notifications@github.comwrote:

cat /var/log/messages | grep "Duplicate entry"

Oct 16 03:32:06 ids barnyard2:suricata[31764]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 17 03:32:07 ids barnyard2:suricata[1247]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 18 03:32:07 ids barnyard2:suricata[3399]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 18 10:06:56 ids barnyard2:suricata[6762]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 18 10:15:26 ids barnyard2:suricata[17277]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY' Oct 18 10:29:45 ids barnyard2:suricata[2585]: ERROR: database mysql_error: Duplicate entry '732-2' for key 'PRIMARY'

MySQL

mysql> use DB2 mysql> SELECT * FROM sig_reference WHERE sig_id = 732; +--------+---------+--------+ | sig_id | ref_seq | ref_id | +--------+---------+--------+ | 732 | 1 | 13620 | | 732 | 2 | 65615 | | 732 | 3 | 13457 | +--------+---------+--------+ 3 rows in set (0.00 sec)

mysql> SELECT * FROM reference WHERE ref_id = 13620; +--------+---------------+-------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+-------------------------------+ | 13620 | 5 | code.google.com/p/sipvicious/ | +--------+---------------+-------------------------------+ 1 row in set (0.00 sec)

mysql> SELECT * FROM reference WHERE ref_id = 65615; +--------+---------------+-------------------------------------------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+-------------------------------------------------------------------+ | 65615 | 5 | blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html | +--------+---------------+-------------------------------------------------------------------+ 1 row in set (0.00 sec)

mysql> SELECT * FROM reference WHERE ref_id = 13457; +--------+---------------+---------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+---------------------------------+ | 13457 | 5 | doc.emergingthreats.net/2011716 | +--------+---------------+---------------------------------+ 1 row in set (0.00 sec)

mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 732; +-----------------------------------------------------------+---------+---------+---------+ | sig_name | sig_rev | sig_sid | sig_gid | +-----------------------------------------------------------+---------+---------+---------+ | ET SCAN Sipvicious User-Agent Detected (friendly-scanner) | 3 | 2011716 | 1 | +-----------------------------------------------------------+---------+---------+---------+ 1 row in set (0.00 sec)

cat /pathto/suricata/rules/sid-msg.map | grep 2011716

2011716 || ET SCAN Sipvicious User-Agent Detected (friendly-scanner) || url,doc.emergingthreats.net/2011716 || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/

cat /pathto/suricata/rules/scan.rules | grep 2011716

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3;)

History of sig_sid 2011716 http://doc.emergingthreats.net/2011716

I'm updating ET PRO ruleset using Oinkmaster via daily cron. I don't confirm to change the signature from Oinkmaster logs for two weeks.

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-26573167 .

[s-takehana]

I've executed below SQL, but this issue still occurs.

UPDATE reference SET ref_tag='blog.sipvicious.org/' WHERE ref_id='65615' AND ref_system_id='5';

So I've executed below SQL too, then other duplicate entry was detected.

DELETE FROM sig_reference WHERE sig_id='732' AND ref_id = '65615'

Oct 18 17:12:23 ids barnyard2:suricata[20417]: ERROR: database mysql_error: Duplicate entry '634-3' for key 'PRIMARY'

mysql> SELECT * FROM sig_reference WHERE sig_id = 634;
+--------+---------+--------+
| sig_id | ref_seq | ref_id |
+--------+---------+--------+
|    634 |       1 |  13392 |
|    634 |       2 |  13620 |
|    634 |       3 |  65904 |
|    634 |       4 |  13391 |
+--------+---------+--------+
4 rows in set (0.00 sec)
mysql> select * from sig_reference WHERE ref_id = 65904;
+--------+---------+--------+
| sig_id | ref_seq | ref_id |
+--------+---------+--------+
|    633 |       2 |  65904 |
|    634 |       3 |  65904 |
+--------+---------+--------+
2 rows in set (0.00 sec)

Can I delete every row in sig_reference and reference table?

[binf]

On Fri, Oct 18, 2013 at 6:11 AM, s-takehana notifications@github.com wrote:

I've executed below SQL, but this issue still occurs.

UPDATE reference SET ref_tag='blog.sipvicious.org/' WHERE ref_id='65615' AND ref_system_id='5';

So I've executed below SQL too, then other duplicate entry was detected.

DELETE FROM sig_reference WHERE sig_id='732' AND ref_id = '65615'

Oct 18 17:12:23 ids barnyard2:suricata[20417]: ERROR: database mysql_error: Duplicate entry '634-3' for key 'PRIMARY'

mysql> SELECT * FROM sig_reference WHERE sig_id = 634; +--------+---------+--------+ | sig_id | ref_seq | ref_id | +--------+---------+--------+ | 634 | 1 | 13392 | | 634 | 2 | 13620 | | 634 | 3 | 65904 | | 634 | 4 | 13391 | +--------+---------+--------+ 4 rows in set (0.00 sec)

mysql> select * from sig_reference WHERE ref_id = 65904; +--------+---------+--------+ | sig_id | ref_seq | ref_id | +--------+---------+--------+ | 633 | 2 | 65904 | | 634 | 3 | 65904 | +--------+---------+--------+ 2 rows in set (0.00 sec)

Can I delete every row in sig_reference and reference table?

You could check ref's and see what changed and do as above or., you can delete sig_reference table without an issue but i would not recommend that you clear reference table, unless you know for sure you could handle a few things your self.

[s-takehana]

All right.

Finally I have two questions.

1. What's root causes of this issue?
2. Are there any ways to prevent this issue?

[binf]

On Sun, Oct 20, 2013 at 8:56 PM, s-takehana notifications@github.comwrote:

All right.

Finally I have two questions.

1. What's basic causes of this issue?

In your case it seem's that references in the signature changed, when barnyard2 populate the sig_reference table there was an violation of the table integrity and the process stoped.

Are there any ways to prevent this issue?

—

No but the fix has been inlined in the thread. You can either clear the ole table or delete the offending entry in sig_reference and in both case restart the process.

[s-takehana]

Thank you for answering.

I've been getting duplicate issue.

I've tried to delete only duplicate entry or update reference tag while referring to your help. As a result, restarting Suricata Barnyad2 was fine without duplicate problem.

But restarting Snort Barnyard2 before restarting Suricata Barnyard2 reproduced the problem. The duplicate entry was same records in sig_reference table every time.

[binf]

Thats probably because the rule in your sid-msg.map betwen your two system differs.

On Tue, Oct 22, 2013 at 10:29 PM, s-takehana notifications@github.comwrote:

Thank you for answering.

I've been getting duplicate issue.

I've tried to delete only duplicate entry or update reference tag while referring to your help. As a result, restarting Suricata Barnyad2 was fine without duplicate problem.

But restarting Snort Barnyard2 before restarting Suricata Barnyard2 reproduced the problem. The duplicate entry was same records in sig_reference table every time.

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-26876348 .

[s-takehana]

Snort Barnyard2 is using sid-msg.map of VRT ruleset. Suricata Barnyard2 is using sid-msg.map of ET PRO ruleset.

Can Barnyard2 not use two different rulesets in same database?

[binf]

Sure should be, but you said that if you started the suricata by2 before the snort process after the fix everything was fine but if you went otherwise it was not fine.

So i assume that mabey you have a line in both sid-msg.map file that is conflicting?

let say sid:11111 in vrt ruleset has ref: abcdef and sid:11111 in et ruleset has ref: abcdefghij

For now that would be the only reason.... mabey if you do the same exercise as previously to see which signature is conflicting and how they are described in their respective sid-msg.map file this could give more insight?

-elz

On Tue, Oct 22, 2013 at 10:47 PM, s-takehana notifications@github.comwrote:

Snort Barnyard2 is using sid-msg.map of VRT ruleset. Suricata Barnyard2 is using sid-msg.map of ET PRO ruleset.

Can Barnyard2 not use two different rulesets in same database?

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-26876927 .

[s-takehana]

Duplicate entries are below three records in sig_reference table every time.

mysql> SELECT * FROM sig_reference WHERE ref_id = 68992;
+--------+---------+--------+
| sig_id | ref_seq | ref_id |
+--------+---------+--------+
|    633 |       2 |  68992 |
|    634 |       3 |  68992 |
|    732 |       2 |  68992 |
+--------+---------+--------+
mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 633;
+------------------------------------------------------------+---------+---------+---------+
| sig_name                                                   | sig_rev | sig_sid | sig_gid |
+------------------------------------------------------------+---------+---------+---------+
| ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser) |       3 | 2012204 |       1 |
+------------------------------------------------------------+---------+---------+---------+
mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 634;
+-------------------------------------------------------------+---------+---------+---------+
| sig_name                                                    | sig_rev | sig_sid | sig_gid |
+-------------------------------------------------------------+---------+---------+---------+
| ET SCAN Modified Sipvicious User-Agent Detected (sundayddr) |       3 | 2011766 |       1 |
+-------------------------------------------------------------+---------+---------+---------+
mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 732;
+-----------------------------------------------------------+---------+---------+---------+
| sig_name                                                  | sig_rev | sig_sid | sig_gid |
+-----------------------------------------------------------+---------+---------+---------+
| ET SCAN Sipvicious User-Agent Detected (friendly-scanner) |       3 | 2011716 |       1 |
+-----------------------------------------------------------+---------+---------+---------+
mysql> SELECT * FROM reference WHERE ref_id = 68992;
+--------+---------------+-------------------------------------------------------------------+
| ref_id | ref_system_id | ref_tag                                                           |
+--------+---------------+-------------------------------------------------------------------+
|  68992 |             5 | blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html |
+--------+---------------+-------------------------------------------------------------------+

ET PRO ruleset sid-msg.map

cat /pathto/suricata/rules/sid-msg.map | grep 2012204
2012204 || ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser) || url,honeynet.org.au/?q=sunday_scanner || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/
cat /pathto/suricata/rules/sid-msg.map | grep 2011766
2011766 || ET SCAN Modified Sipvicious User-Agent Detected (sundayddr) || url,doc.emergingthreats.net/2011766 || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/ || url,honeynet.org.au/?q=sunday_scanner
cat /pathto/suricata/rules/sid-msg.map | grep 2011716
2011716 || ET SCAN Sipvicious User-Agent Detected (friendly-scanner) || url,doc.emergingthreats.net/2011716 || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/
cat /pathto/suricata/rules/sid-msg.map | grep "blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html"
(nothing)

VRT ruleset sid-msg.map

cat /pathto/snort/sid-msg.map | grep 2012204
(nothing)
cat /pathto/snort/sid-msg.map | grep 2011766
(nothing)
cat /pathto/snort/sid-msg.map | grep 2011716
(nothing)
cat /pathto/snort/sid-msg.map | grep "blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html"
27899 || PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html
27900 || PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html
27901 || PROTOCOL-VOIP Ghost call attack attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html
27902 || PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html
27903 || PROTOCOL-VOIP Ghost call attack attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html
27904 || PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html

[binf]

On Thu, Oct 24, 2013 at 4:40 AM, s-takehana notifications@github.com wrote:

Duplicate entries are below three records in sig_reference table every time.

mysql> SELECT * FROM sig_reference WHERE ref_id = 68992; +--------+---------+--------+ | sig_id | ref_seq | ref_id | +--------+---------+--------+ | 633 | 2 | 68992 | | 634 | 3 | 68992 | | 732 | 2 | 68992 | +--------+---------+--------+

mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 633; +------------------------------------------------------------+---------+---------+---------+ | sig_name | sig_rev | sig_sid | sig_gid | +------------------------------------------------------------+---------+---------+---------+ | ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser) | 3 | 2012204 | 1 | +------------------------------------------------------------+---------+---------+---------+

mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 634; +-------------------------------------------------------------+---------+---------+---------+ | sig_name | sig_rev | sig_sid | sig_gid | +-------------------------------------------------------------+---------+---------+---------+ | ET SCAN Modified Sipvicious User-Agent Detected (sundayddr) | 3 | 2011766 | 1 | +-------------------------------------------------------------+---------+---------+---------+

mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 732; +-----------------------------------------------------------+---------+---------+---------+ | sig_name | sig_rev | sig_sid | sig_gid | +-----------------------------------------------------------+---------+---------+---------+ | ET SCAN Sipvicious User-Agent Detected (friendly-scanner) | 3 | 2011716 | 1 | +-----------------------------------------------------------+---------+---------+---------+

mysql> SELECT * FROM reference WHERE ref_id = 68992; +--------+---------------+-------------------------------------------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+-------------------------------------------------------------------+ | 68992 | 5 | blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html | +--------+---------------+-------------------------------------------------------------------+

ET PRO ruleset sid-msg.map

cat /pathto/suricata/rules/sid-msg.map | grep 2012204 2012204 || ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser) || url,honeynet.org.au/?q=sunday_scanner || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/

cat /pathto/suricata/rules/sid-msg.map | grep 2011766 2011766 || ET SCAN Modified Sipvicious User-Agent Detected (sundayddr) || url,doc.emergingthreats.net/2011766 || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/ || url,honeynet.org.au/?q=sunday_scanner

cat /pathto/suricata/rules/sid-msg.map | grep 2011716 2011716 || ET SCAN Sipvicious User-Agent Detected (friendly-scanner) || url,doc.emergingthreats.net/2011716 || url,blog.sipvicious.org/ || url,code.google.com/p/sipvicious/

cat /pathto/suricata/rules/sid-msg.map | grep "blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" (nothing)

VRT ruleset sid-msg.map

cat /pathto/snort/sid-msg.map | grep 2012204 (nothing)

cat /pathto/snort/sid-msg.map | grep 2011766 (nothing)

cat /pathto/snort/sid-msg.map | grep 2011716 (nothing)

cat /pathto/snort/sid-msg.map | grep "blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" 27899 || PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 27900 || PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 27901 || PROTOCOL-VOIP Ghost call attack attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 27902 || PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 27903 || PROTOCOL-VOIP Ghost call attack attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 27904 || PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html

Given the data you gave me i think i found the issue,

can you try this branch and tell me if this fix your issue without deleting anything from the database?

https://github.com/binf/barnyard2/tree/bug-fix-release

Let me know the outcomes.

-elz

[s-takehana]

I've updated to bug-fix-release and tried it. As a result, failures occurred in both Snort Barnyard2 and Suricata Barnyard2.

Oct 25 15:44:02 ids barnyard2:snort[28591]: Opened spool file '/var/log/snort/snort.log.1382637653'
Oct 25 15:44:02 ids barnyard2:snort[28591]: ERROR database: Returned signature_id [479] is not equal to updated signature_id [20944] in [dbSignatureInformationUpdate()]
Oct 25 15:44:02 ids barnyard2:snort[28591]: [dbProcessSignatureInformation()] Line[1556], call to dbSignatureInformationUpdate failed for :
Oct 25 15:44:02 ids barnyard2:snort[28591]: [gid :139] [sid: 1] [upd_rev: 1] [upd class: 35] [upd pri 2]
Oct 25 15:44:02 ids barnyard2:snort[28591]: ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing
Oct 25 15:44:02 ids barnyard2:snort[28591]: Fatal Error, Quitting..
Oct 25 15:44:02 ids barnyard2:snort[28591]: Barnyard2 exiting
Oct 25 15:45:12 ids barnyard2:suricata[3873]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Oct 25 15:45:12 ids barnyard2:suricata[3873]: INFO database: Defaulting Reconnect sleep time to 5 second
Oct 25 15:51:46 ids barnyard2:suricata[3873]: ERROR: database mysql_error: Duplicate entry '101033-1' for key 'PRIMARY'
Oct 25 15:51:46 ids barnyard2:suricata[3873]: #011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('23317','101033','1');]
Oct 25 15:51:46 ids barnyard2:suricata[3873]: Fatal Error, Quitting..
Oct 25 15:51:46 ids barnyard2:suricata[3873]: Barnyard2 exiting

[binf]

On Fri, Oct 25, 2013 at 3:10 AM, s-takehana notifications@github.com wrote:

I've updated to bug-fix-release and tried it. As a result, failures occurred in both Snort Barnyard2 and Suricata Barnyard2.

Which output is which process? Can you drill down the information related to each process?

Oct 25 15:44:02 ids barnyard2:snort[28591]: Opened spool file '/var/log/snort/snort.log.1382637653' Oct 25 15:44:02 ids barnyard2:snort[28591]: ERROR database: Returned signature_id [479] is not equal to updated signature_id [20944] in [dbSignatureInformationUpdate()] Oct 25 15:44:02 ids barnyard2:snort[28591]: [dbProcessSignatureInformation()] Line[1556], call to dbSignatureInformationUpdate failed for : Oct 25 15:44:02 ids barnyard2:snort[28591]: [gid :139] [sid: 1] [upd_rev: 1] [upd class: 35] [upd pri 2] Oct 25 15:44:02 ids barnyard2:snort[28591]: ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing Oct 25 15:44:02 ids barnyard2:snort[28591]: Fatal Error, Quitting.. Oct 25 15:44:02 ids barnyard2:snort[28591]: Barnyard2 exiting

Duplicate entries in signature table? Should not happen and should not be consequent of 2-1.13

Oct 25 15:45:12 ids barnyard2:suricata[3873]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 Oct 25 15:45:12 ids barnyard2:suricata[3873]: INFO database: Defaulting Reconnect sleep time to 5 second Oct 25 15:51:46 ids barnyard2:suricata[3873]: ERROR: database mysql_error: Duplicate entry '101033-1' for key 'PRIMARY' Oct 25 15:51:46 ids barnyard2:suricata[3873]: #011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('23317','101033','1');] Oct 25 15:51:46 ids barnyard2:suricata[3873]: Fatal Error, Quitting.. Oct 25 15:51:46 ids barnyard2:suricata[3873]: Barnyard2 exiting

Can you extract info for this signature as you did before?

[s-takehana]

Duplicate entry in sig_reference table issue still remain in Suricata Barnyard2 process. Furthermore, other issue has come up in Snort Barnyard2 process.

I should divide by two databases per process using differ ruleset because Barnyard2 recommended. I'm planning it.

Sorry @binf. Could you tell me how to fix currently raised error in Snort Barnyard2 process? The error occurred when first executing bug-fix-release.

Oct 28 11:11:32 ids barnyard2:snort[1129]:  / ,,_  \  Version 2.1.13 (Build 327) IPv6
Oct 28 11:11:32 ids barnyard2:snort[1129]:  |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
Oct 28 11:11:32 ids barnyard2:snort[1129]:  + '''' +  (C) Copyright 2008-2013 Ian Firns 
Oct 28 11:11:32 ids barnyard2:snort[1129]:
Oct 28 11:11:32 ids barnyard2:snort[1129]: Using waldo file '/etc/snort/bylog.waldo':
Oct 28 11:11:32 ids barnyard2:snort[1129]:     spool directory = /var/log/snort
Oct 28 11:11:32 ids barnyard2:snort[1129]:     spool filebase  = snort.log
Oct 28 11:11:32 ids barnyard2:snort[1129]:     time_stamp      = 1382637653
Oct 28 11:11:32 ids barnyard2:snort[1129]:     record_idx      = 17969
Oct 28 11:11:32 ids barnyard2:snort[1129]: Opened spool file '/var/log/snort/snort.log.1382637653'
Oct 28 11:11:32 ids barnyard2:snort[1129]: ERROR database: Returned signature_id [479] is not equal to updated signature_id [35210] in [dbSignatureInformationUpdate()]
Oct 28 11:11:32 ids barnyard2:snort[1129]: [dbProcessSignatureInformation()] Line[1556], call to dbSignatureInformationUpdate failed for :
Oct 28 11:11:32 ids barnyard2:snort[1129]: [gid :139] [sid: 1] [upd_rev: 1] [upd class: 35] [upd pri 2]
Oct 28 11:11:32 ids barnyard2:snort[1129]: ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing
Oct 28 11:11:32 ids barnyard2:snort[1129]: Fatal Error, Quitting..
Oct 28 11:11:32 ids barnyard2:snort[1129]: Barnyard2 exiting

mysql> SELECT sig_id , sig_name,  sig_class_id, sig_priority, sig_rev FROM signature WHERE sig_gid = 139 AND sig_sid = 1;
+--------+----------------------------------------------------------+--------------+--------------+---------+
| sig_id | sig_name                                                 | sig_class_id | sig_priority | sig_rev |
+--------+----------------------------------------------------------+--------------+--------------+---------+
|    479 | sensitive_data: sensitive data global threshold exceeded |           35 |            2 |       1 |
|   3783 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   4207 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   4598 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   5073 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   5598 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   6133 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   6554 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   6872 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   7236 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   7710 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   8131 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   8503 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   8924 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   9309 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|   9732 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  10118 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  10539 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  10927 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  11350 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  11753 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  12176 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  12576 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  12997 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  13396 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  13817 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  14202 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  14623 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  15033 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  15455 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  15850 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  16271 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  16660 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  17081 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  17467 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  17888 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  18288 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  18709 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  19085 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  19507 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  19895 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  20316 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  20735 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  21156 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  21554 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  21975 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  22351 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  22772 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  23160 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  23643 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  24064 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  24455 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  24876 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  25259 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  25681 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  26059 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  26482 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  26865 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  27286 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  27673 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  28095 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  28478 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  28899 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  29276 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  29697 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  30082 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  30503 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  30877 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  31298 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  31676 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  32097 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  32484 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  32906 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  33295 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  33717 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  34048 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  34369 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  34737 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
|  35210 | sensitive_data: sensitive data global threshold exceeded |            0 |            3 |       1 |
+--------+----------------------------------------------------------+--------------+--------------+---------+
79 rows in set (0.11 sec)

# cat /pathto/snort/gen-msg.map | grep 139
139 || 1 || sensitive_data: sensitive data global threshold exceeded

[binf]

On Mon, Oct 28, 2013 at 1:50 AM, s-takehana notifications@github.com wrote:

Duplicate entry in sig_reference table issue still remain in Suricata Barnyard2 process. Furthermore, other issue has come up in Snort Barnyard2 process.

Did you clear the entries in sig_reference before testing the test branch? Which step did you take, etc...

I should divide by two databases per process using differ ruleset because Barnyard2 recommended. I'm planning it.

Barnyard2 recommended? There shouldn't be any issue running ET and VRT together on a same db.

Sorry @binf. Could you tell me how to fix currently raised error in Snort Barnyard2 process? The error occurred when first executing bug-fix-release.

Oct 28 11:11:32 ids barnyard2:snort[1129]: / ,,_ \ Version 2.1.13 (Build 327) IPv6 Oct 28 11:11:32 ids barnyard2:snort[1129]: |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ Oct 28 11:11:32 ids barnyard2:snort[1129]: + '''' + (C) Copyright 2008-2013 Ian Firns Oct 28 11:11:32 ids barnyard2:snort[1129]: Oct 28 11:11:32 ids barnyard2:snort[1129]: Using waldo file '/etc/snort/bylog.waldo': Oct 28 11:11:32 ids barnyard2:snort[1129]: spool directory = /var/log/snort Oct 28 11:11:32 ids barnyard2:snort[1129]: spool filebase = snort.log Oct 28 11:11:32 ids barnyard2:snort[1129]: time_stamp = 1382637653 Oct 28 11:11:32 ids barnyard2:snort[1129]: record_idx = 17969 Oct 28 11:11:32 ids barnyard2:snort[1129]: Opened spool file '/var/log/snort/snort.log.1382637653' Oct 28 11:11:32 ids barnyard2:snort[1129]: ERROR database: Returned signature_id [479] is not equal to updated signature_id [35210] in [dbSignatureInformationUpdate()] Oct 28 11:11:32 ids barnyard2:snort[1129]: [dbProcessSignatureInformation()] Line[1556], call to dbSignatureInformationUpdate failed for : Oct 28 11:11:32 ids barnyard2:snort[1129]: [gid :139] [sid: 1] [upd_rev: 1] [upd class: 35] [upd pri 2] Oct 28 11:11:32 ids barnyard2:snort[1129]: ERROR: [dbProcessSignatureInformation()]: Failed, stoping processing Oct 28 11:11:32 ids barnyard2:snort[1129]: Fatal Error, Quitting.. Oct 28 11:11:32 ids barnyard2:snort[1129]: Barnyard2 exiting

I am under the impression that you might have other signature like that So the same receipe should apply:

Just to double check execute the following queries and return the result: 1. SELECT q1.sig_gid,q1.sig_sid,q1.a FROM (SELECT sig_gid,sig_sid,count(*) AS a FROM signature WHERE sig_priority='0' GROUP BY sig_gid,sig_sid) AS q1 WHERE q1.a > 1;

-elz

[s-takehana]

Did you clear the entries in sig_reference before testing the test branch? Which step did you take, etc...

No, I didn't first time. I've also tried to clear sig_reference and delete only duplicate entry. But duplicate entry occurred by restarting Snort Barnyard2 same as before.

SELECT q1.sig_gid,q1.sig_sid,q1.a FROM (SELECT sig_gid,sig_sid,count(*) AS a FROM signature WHERE sig_priority='0' GROUP BY sig_gid,sig_sid) AS q1 WHERE q1.a > 1;

DB1

+---------+---------+-----+
| sig_gid | sig_sid | a   |
+---------+---------+-----+
|       2 |       1 | 216 |
|     100 |       1 | 216 |
|     100 |       2 | 216 |
|     100 |       3 | 216 |
|     101 |       1 | 216 |
|     102 |       1 | 216 |
|     102 |       2 | 216 |
|     102 |       3 | 216 |
|     102 |       4 | 216 |
|     102 |       5 | 216 |
|     102 |       6 | 216 |
|     102 |       7 | 216 |
|     103 |       1 | 216 |
|     103 |       2 | 216 |
|     104 |       1 | 216 |
|     104 |       2 | 216 |
|     105 |       1 | 216 |
|     105 |       2 | 216 |
|     105 |       3 | 216 |
|     105 |       4 | 216 |
|     106 |       1 | 216 |
|     106 |       2 | 216 |
|     106 |       3 | 216 |
|     106 |       4 | 216 |
|     106 |       5 | 216 |
|     110 |       1 | 216 |
|     110 |       2 | 216 |
|     110 |       3 | 216 |
|     110 |       4 | 216 |
|     111 |       1 | 216 |
|     111 |       2 | 216 |
|     111 |       3 | 216 |
|     111 |       4 | 216 |
|     111 |       5 | 216 |
|     111 |       6 | 216 |
|     111 |       7 | 216 |
|     111 |       8 | 216 |
|     111 |       9 | 216 |
|     111 |      10 | 216 |
|     111 |      11 | 216 |
|     111 |      12 | 216 |
|     111 |      13 | 216 |
|     111 |      14 | 216 |
|     111 |      15 | 216 |
|     111 |      16 | 216 |
|     111 |      17 | 216 |
|     111 |      18 | 216 |
|     111 |      19 | 216 |
|     111 |      20 | 216 |
|     111 |      21 | 216 |
|     111 |      22 | 216 |
|     111 |      23 | 216 |
|     111 |      24 | 216 |
|     111 |      25 | 216 |
|     112 |       1 | 216 |
|     112 |       2 | 216 |
|     112 |       3 | 216 |
|     112 |       4 | 216 |
|     113 |       1 | 216 |
|     113 |       2 | 216 |
|     113 |       3 | 216 |
|     113 |       4 | 216 |
|     113 |       5 | 216 |
|     113 |       6 | 216 |
|     113 |       7 | 216 |
|     113 |       8 | 216 |
|     113 |       9 | 216 |
|     113 |      10 | 216 |
|     114 |       1 | 216 |
|     114 |       2 | 216 |
|     114 |       3 | 216 |
|     114 |       4 | 216 |
|     115 |       1 | 216 |
|     115 |       2 | 216 |
|     115 |       3 | 216 |
|     115 |       4 | 216 |
|     115 |       5 | 216 |
|     116 |       1 | 216 |
|     116 |       2 | 216 |
|     116 |       3 | 216 |
|     116 |       4 | 216 |
|     116 |       5 | 216 |
|     116 |       6 | 216 |
|     116 |      45 | 216 |
|     116 |      46 | 216 |
|     116 |      47 | 216 |
|     116 |      54 | 216 |
|     116 |      55 | 216 |
|     116 |      56 | 216 |
|     116 |      57 | 216 |
|     116 |      58 | 216 |
|     116 |      59 | 216 |
|     116 |      95 | 216 |
|     116 |      96 | 216 |
|     116 |      97 | 216 |
|     116 |      98 | 216 |
|     116 |     105 | 216 |
|     116 |     106 | 216 |
|     116 |     107 | 216 |
|     116 |     108 | 216 |
|     116 |     109 | 216 |
|     116 |     110 | 216 |
|     116 |     111 | 216 |
|     116 |     112 | 216 |
|     116 |     120 | 216 |
|     116 |     130 | 216 |
|     116 |     131 | 216 |
|     116 |     132 | 216 |
|     116 |     133 | 216 |
|     116 |     134 | 216 |
|     116 |     140 | 216 |
|     116 |     141 | 216 |
|     116 |     142 | 216 |
|     116 |     143 | 216 |
|     116 |     150 | 216 |
|     116 |     151 | 216 |
|     116 |     160 | 216 |
|     116 |     161 | 216 |
|     116 |     162 | 216 |
|     116 |     163 | 216 |
|     116 |     164 | 216 |
|     116 |     165 | 216 |
|     116 |     170 | 216 |
|     116 |     171 | 216 |
|     116 |     172 | 216 |
|     116 |     173 | 216 |
|     116 |     174 | 216 |
|     116 |     175 | 216 |
|     116 |     176 | 216 |
|     116 |     250 | 216 |
|     116 |     251 | 216 |
|     116 |     252 | 216 |
|     116 |     253 | 216 |
|     116 |     254 | 216 |
|     116 |     255 | 216 |
|     116 |     270 | 216 |
|     116 |     271 | 216 |
|     116 |     272 | 216 |
|     116 |     273 | 216 |
|     116 |     274 | 216 |
|     116 |     275 | 216 |
|     116 |     276 | 216 |
|     116 |     277 | 216 |
|     116 |     278 | 216 |
|     116 |     279 | 216 |
|     116 |     280 | 216 |
|     116 |     281 | 216 |
|     116 |     282 | 216 |
|     116 |     283 | 216 |
|     116 |     285 | 216 |
|     116 |     286 | 216 |
|     116 |     287 | 216 |
|     116 |     288 | 216 |
|     116 |     289 | 216 |
|     116 |     290 | 216 |
|     116 |     291 | 216 |
|     116 |     292 | 216 |
|     116 |     293 | 216 |
|     116 |     294 | 216 |
|     116 |     295 | 216 |
|     116 |     296 | 216 |
|     116 |     297 | 216 |
|     116 |     298 | 216 |
|     116 |     400 | 216 |
|     116 |     401 | 216 |
|     116 |     402 | 216 |
|     116 |     403 | 216 |
|     116 |     404 | 216 |
|     116 |     405 | 216 |
|     116 |     406 | 216 |
|     116 |     407 | 216 |
|     116 |     408 | 216 |
|     116 |     409 | 216 |
|     116 |     410 | 216 |
|     116 |     411 | 216 |
|     116 |     412 | 216 |
|     116 |     413 | 216 |
|     116 |     414 | 216 |
|     116 |     415 | 216 |
|     116 |     416 | 216 |
|     116 |     417 | 216 |
|     116 |     418 | 216 |
|     116 |     419 | 216 |
|     116 |     420 | 216 |
|     116 |     421 | 216 |
|     116 |     422 | 216 |
|     116 |     423 | 216 |
|     116 |     424 | 216 |
|     116 |     425 | 216 |
|     116 |     426 | 216 |
|     116 |     427 | 216 |
|     116 |     428 | 216 |
|     116 |     429 | 216 |
|     116 |     430 | 216 |
|     116 |     431 | 216 |
|     116 |     432 | 216 |
|     116 |     433 | 216 |
|     116 |     434 | 216 |
|     116 |     435 | 216 |
|     116 |     436 | 216 |
|     116 |     437 | 216 |
|     116 |     438 | 216 |
|     116 |     439 | 216 |
|     116 |     440 | 216 |
|     116 |     441 | 216 |
|     116 |     442 | 216 |
|     116 |     443 | 216 |
|     116 |     444 | 216 |
|     116 |     445 | 216 |
|     116 |     446 | 216 |
|     116 |     447 | 216 |
|     116 |     448 | 216 |
|     116 |     449 | 216 |
|     116 |     450 | 216 |
|     116 |     451 | 216 |
|     116 |     452 | 216 |
|     116 |     453 | 216 |
|     116 |     454 | 216 |
|     116 |     455 | 216 |
|     116 |     456 | 216 |
|     117 |       1 | 216 |
|     118 |       1 | 216 |
|     119 |       1 | 216 |
|     119 |       2 | 216 |
|     119 |       3 | 216 |
|     119 |       4 | 216 |
|     119 |       5 | 216 |
|     119 |       6 | 216 |
|     119 |       7 | 216 |
|     119 |       8 | 216 |
|     119 |       9 | 216 |
|     119 |      10 | 216 |
|     119 |      11 | 216 |
|     119 |      12 | 216 |
|     119 |      13 | 216 |
|     119 |      14 | 216 |
|     119 |      15 | 216 |
|     119 |      16 | 216 |
|     119 |      17 | 216 |
|     119 |      18 | 216 |
|     119 |      19 | 216 |
|     119 |      20 | 216 |
|     119 |      21 | 216 |
|     119 |      22 | 216 |
|     119 |      23 | 216 |
|     119 |      24 | 216 |
|     119 |      25 | 216 |
|     119 |      26 | 216 |
|     119 |      27 | 216 |
|     119 |      28 | 216 |
|     119 |      29 | 216 |
|     119 |      30 | 216 |
|     119 |      31 | 216 |
|     119 |      32 | 216 |
|     120 |       1 | 216 |
|     120 |       2 | 216 |
|     120 |       3 | 216 |
|     120 |       4 | 216 |
|     120 |       5 | 216 |
|     120 |       6 | 216 |
|     120 |       7 | 216 |
|     120 |       8 | 216 |
|     120 |       9 | 216 |
|     120 |      10 | 216 |
|     120 |      11 | 216 |
|     121 |       1 | 216 |
|     121 |       2 | 216 |
|     121 |       3 | 216 |
|     121 |       4 | 216 |
|     122 |       1 | 216 |
|     122 |       2 | 216 |
|     122 |       3 | 216 |
|     122 |       4 | 216 |
|     122 |       5 | 216 |
|     122 |       6 | 216 |
|     122 |       7 | 216 |
|     122 |       8 | 216 |
|     122 |       9 | 216 |
|     122 |      10 | 216 |
|     122 |      11 | 216 |
|     122 |      12 | 216 |
|     122 |      13 | 216 |
|     122 |      14 | 216 |
|     122 |      15 | 216 |
|     122 |      16 | 216 |
|     122 |      17 | 216 |
|     122 |      18 | 216 |
|     122 |      19 | 216 |
|     122 |      20 | 216 |
|     122 |      21 | 216 |
|     122 |      22 | 216 |
|     122 |      23 | 216 |
|     122 |      24 | 216 |
|     122 |      25 | 216 |
|     122 |      26 | 216 |
|     122 |      27 | 216 |
|     123 |       1 | 216 |
|     123 |       2 | 216 |
|     123 |       3 | 216 |
|     123 |       4 | 216 |
|     123 |       5 | 216 |
|     123 |       6 | 216 |
|     123 |       7 | 216 |
|     123 |       8 | 216 |
|     123 |       9 | 216 |
|     123 |      10 | 216 |
|     123 |      11 | 216 |
|     123 |      12 | 216 |
|     123 |      13 | 216 |
|     124 |       1 | 216 |
|     124 |       2 | 216 |
|     124 |       3 | 216 |
|     124 |       4 | 216 |
|     124 |       5 | 216 |
|     124 |       6 | 216 |
|     124 |       7 | 216 |
|     124 |       8 | 216 |
|     124 |       9 | 216 |
|     124 |      10 | 216 |
|     124 |      11 | 216 |
|     124 |      12 | 216 |
|     124 |      13 | 216 |
|     125 |       1 | 216 |
|     125 |       2 | 216 |
|     125 |       3 | 216 |
|     125 |       4 | 216 |
|     125 |       5 | 216 |
|     125 |       6 | 216 |
|     125 |       7 | 216 |
|     125 |       8 | 216 |
|     125 |       9 | 216 |
|     126 |       1 | 216 |
|     126 |       2 | 216 |
|     126 |       3 | 216 |
|     128 |       1 | 216 |
|     128 |       2 | 216 |
|     128 |       3 | 216 |
|     128 |       4 | 216 |
|     128 |       5 | 216 |
|     128 |       6 | 216 |
|     128 |       7 | 216 |
|     129 |       1 | 216 |
|     129 |       2 | 216 |
|     129 |       3 | 216 |
|     129 |       4 | 216 |
|     129 |       5 | 216 |
|     129 |       6 | 216 |
|     129 |       7 | 216 |
|     129 |       8 | 216 |
|     129 |       9 | 216 |
|     129 |      10 | 216 |
|     129 |      11 | 216 |
|     129 |      12 | 216 |
|     129 |      13 | 216 |
|     129 |      14 | 216 |
|     129 |      15 | 216 |
|     129 |      16 | 216 |
|     129 |      17 | 216 |
|     129 |      18 | 216 |
|     129 |      19 | 216 |
|     130 |       1 | 216 |
|     131 |       1 | 216 |
|     131 |       2 | 216 |
|     131 |       3 | 216 |
|     133 |       1 | 216 |
|     133 |       2 | 216 |
|     133 |       3 | 216 |
|     133 |       4 | 216 |
|     133 |       5 | 216 |
|     133 |       6 | 216 |
|     133 |       7 | 216 |
|     133 |       8 | 216 |
|     133 |       9 | 216 |
|     133 |      10 | 216 |
|     133 |      11 | 216 |
|     133 |      12 | 216 |
|     133 |      13 | 216 |
|     133 |      14 | 216 |
|     133 |      15 | 216 |
|     133 |      16 | 216 |
|     133 |      17 | 216 |
|     133 |      18 | 216 |
|     133 |      19 | 216 |
|     133 |      20 | 216 |
|     133 |      21 | 216 |
|     133 |      22 | 216 |
|     133 |      23 | 216 |
|     133 |      24 | 216 |
|     133 |      25 | 216 |
|     133 |      26 | 216 |
|     133 |      27 | 216 |
|     133 |      28 | 216 |
|     133 |      29 | 216 |
|     133 |      30 | 216 |
|     133 |      31 | 216 |
|     133 |      32 | 216 |
|     133 |      33 | 216 |
|     133 |      34 | 216 |
|     133 |      35 | 216 |
|     133 |      36 | 216 |
|     133 |      37 | 216 |
|     133 |      38 | 216 |
|     133 |      39 | 216 |
|     133 |      40 | 216 |
|     133 |      41 | 216 |
|     133 |      42 | 216 |
|     133 |      43 | 216 |
|     134 |       1 | 216 |
|     134 |       2 | 216 |
|     135 |       1 | 216 |
|     135 |       2 | 216 |
|     135 |       3 | 216 |
|     136 |       1 | 216 |
|     136 |       2 | 216 |
|     137 |       2 | 216 |
|     140 |       1 | 216 |
|     140 |       2 | 216 |
|     140 |       3 | 216 |
|     140 |       4 | 216 |
|     140 |       5 | 216 |
|     140 |       6 | 216 |
|     140 |       7 | 216 |
|     140 |       8 | 216 |
|     140 |       9 | 216 |
|     140 |      10 | 216 |
|     140 |      11 | 216 |
|     140 |      12 | 216 |
|     140 |      13 | 216 |
|     140 |      14 | 216 |
|     140 |      15 | 216 |
|     140 |      16 | 216 |
|     140 |      17 | 216 |
|     140 |      18 | 216 |
|     140 |      19 | 216 |
|     140 |      20 | 216 |
|     140 |      21 | 216 |
|     140 |      22 | 216 |
|     140 |      23 | 216 |
|     140 |      24 | 216 |
|     140 |      25 | 216 |
|     140 |      26 | 216 |
|     141 |       1 | 216 |
|     141 |       2 | 216 |
|     141 |       3 | 216 |
|     141 |       4 | 216 |
|     141 |       5 | 216 |
|     141 |       6 | 216 |
|     141 |       7 | 216 |
|     142 |       1 | 216 |
|     142 |       2 | 216 |
|     142 |       3 | 216 |
|     142 |       4 | 216 |
|     142 |       5 | 216 |
|     142 |       6 | 216 |
|     142 |       7 | 216 |
|     143 |       1 | 216 |
|     143 |       2 | 216 |
|     143 |       3 | 216 |
|     144 |       1 | 216 |
|     144 |       2 | 216 |
|     144 |       3 | 216 |
|     145 |       1 | 216 |
|     145 |       2 | 216 |
|     145 |       3 | 216 |
|     145 |       4 | 216 |
|     145 |       5 | 216 |
|     145 |       6 | 216 |
+---------+---------+-----+
467 rows in set (0.06 sec)

DB2

+---------+---------+-----+
| sig_gid | sig_sid | a   |
+---------+---------+-----+
|       2 |       1 | 439 |
|     100 |       1 | 439 |
|     100 |       2 | 439 |
|     100 |       3 | 439 |
|     101 |       1 | 439 |
|     102 |       1 | 439 |
|     102 |       2 | 439 |
|     102 |       3 | 439 |
|     102 |       4 | 439 |
|     102 |       5 | 439 |
|     102 |       6 | 439 |
|     102 |       7 | 439 |
|     103 |       1 | 439 |
|     103 |       2 | 439 |
|     104 |       1 | 439 |
|     104 |       2 | 439 |
|     105 |       1 | 439 |
|     105 |       2 | 439 |
|     105 |       3 | 439 |
|     105 |       4 | 439 |
|     106 |       1 | 439 |
|     106 |       2 | 439 |
|     106 |       3 | 439 |
|     106 |       4 | 439 |
|     106 |       5 | 439 |
|     110 |       1 | 439 |
|     110 |       2 | 439 |
|     110 |       3 | 439 |
|     110 |       4 | 439 |
|     111 |       1 | 439 |
|     111 |       2 | 439 |
|     111 |       3 | 439 |
|     111 |       4 | 439 |
|     111 |       5 | 439 |
|     111 |       6 | 439 |
|     111 |       7 | 439 |
|     111 |       8 | 439 |
|     111 |       9 | 439 |
|     111 |      10 | 439 |
|     111 |      11 | 439 |
|     111 |      12 | 439 |
|     111 |      13 | 439 |
|     111 |      14 | 439 |
|     111 |      15 | 439 |
|     111 |      16 | 439 |
|     111 |      17 | 439 |
|     111 |      18 | 439 |
|     111 |      19 | 439 |
|     111 |      20 | 439 |
|     111 |      21 | 439 |
|     111 |      22 | 439 |
|     111 |      23 | 439 |
|     111 |      24 | 439 |
|     111 |      25 | 439 |
|     112 |       1 | 439 |
|     112 |       2 | 439 |
|     112 |       3 | 439 |
|     112 |       4 | 439 |
|     113 |       1 | 439 |
|     113 |       2 | 439 |
|     113 |       3 | 439 |
|     113 |       4 | 439 |
|     113 |       5 | 439 |
|     113 |       6 | 439 |
|     113 |       7 | 439 |
|     113 |       8 | 439 |
|     113 |       9 | 439 |
|     113 |      10 | 439 |
|     114 |       1 | 439 |
|     114 |       2 | 439 |
|     114 |       3 | 439 |
|     114 |       4 | 439 |
|     115 |       1 | 439 |
|     115 |       2 | 439 |
|     115 |       3 | 439 |
|     115 |       4 | 439 |
|     115 |       5 | 439 |
|     116 |       1 | 440 |
|     116 |       2 | 511 |
|     116 |       3 | 511 |
|     116 |       4 | 440 |
|     116 |       5 | 440 |
|     116 |       6 | 511 |
|     116 |      45 | 440 |
|     116 |      46 | 440 |
|     116 |      47 | 440 |
|     116 |      54 | 440 |
|     116 |      55 | 440 |
|     116 |      56 | 440 |
|     116 |      57 | 440 |
|     116 |      58 | 440 |
|     116 |      59 | 440 |
|     116 |      95 | 440 |
|     116 |      96 | 440 |
|     116 |      97 | 440 |
|     116 |      98 | 440 |
|     116 |     105 | 440 |
|     116 |     106 | 440 |
|     116 |     107 | 440 |
|     116 |     108 | 440 |
|     116 |     109 | 440 |
|     116 |     110 | 440 |
|     116 |     111 | 440 |
|     116 |     112 | 440 |
|     116 |     120 | 511 |
|     116 |     130 | 511 |
|     116 |     131 | 511 |
|     116 |     132 | 511 |
|     116 |     133 | 511 |
|     116 |     134 | 511 |
|     116 |     140 | 511 |
|     116 |     141 | 511 |
|     116 |     142 | 511 |
|     116 |     143 | 511 |
|     116 |     150 | 440 |
|     116 |     151 | 440 |
|     116 |     160 | 439 |
|     116 |     161 | 439 |
|     116 |     162 | 439 |
|     116 |     163 | 439 |
|     116 |     164 | 439 |
|     116 |     165 | 439 |
|     116 |     170 | 440 |
|     116 |     171 | 440 |
|     116 |     172 | 440 |
|     116 |     173 | 440 |
|     116 |     174 | 440 |
|     116 |     175 | 440 |
|     116 |     176 | 440 |
|     116 |     250 | 511 |
|     116 |     251 | 511 |
|     116 |     252 | 511 |
|     116 |     253 | 511 |
|     116 |     254 | 511 |
|     116 |     255 | 511 |
|     116 |     270 | 439 |
|     116 |     271 | 439 |
|     116 |     272 | 439 |
|     116 |     273 | 439 |
|     116 |     274 | 511 |
|     116 |     275 | 511 |
|     116 |     276 | 210 |
|     116 |     277 | 210 |
|     116 |     278 | 210 |
|     116 |     279 | 210 |
|     116 |     280 | 210 |
|     116 |     281 | 210 |
|     116 |     282 | 210 |
|     116 |     283 | 210 |
|     116 |     285 | 210 |
|     116 |     286 | 210 |
|     116 |     287 | 210 |
|     116 |     288 | 210 |
|     116 |     289 | 210 |
|     116 |     290 | 210 |
|     116 |     291 | 440 |
|     116 |     292 | 210 |
|     116 |     293 | 210 |
|     116 |     294 | 210 |
|     116 |     295 | 210 |
|     116 |     296 | 210 |
|     116 |     297 | 210 |
|     116 |     298 | 210 |
|     116 |     400 | 511 |
|     116 |     401 | 511 |
|     116 |     402 | 440 |
|     116 |     403 | 440 |
|     116 |     404 | 439 |
|     116 |     405 | 439 |
|     116 |     406 | 440 |
|     116 |     407 | 210 |
|     116 |     408 | 210 |
|     116 |     409 | 210 |
|     116 |     410 | 210 |
|     116 |     411 | 210 |
|     116 |     412 | 210 |
|     116 |     413 | 210 |
|     116 |     414 | 210 |
|     116 |     415 | 210 |
|     116 |     416 | 210 |
|     116 |     417 | 210 |
|     116 |     418 | 210 |
|     116 |     419 | 210 |
|     116 |     420 | 210 |
|     116 |     421 | 210 |
|     116 |     422 | 210 |
|     116 |     423 | 210 |
|     116 |     424 | 210 |
|     116 |     425 | 210 |
|     116 |     426 | 210 |
|     116 |     427 | 210 |
|     116 |     428 | 210 |
|     116 |     429 | 210 |
|     116 |     430 | 210 |
|     116 |     431 | 210 |
|     116 |     432 | 210 |
|     116 |     433 | 210 |
|     116 |     434 | 210 |
|     116 |     435 | 210 |
|     116 |     436 | 210 |
|     116 |     437 | 210 |
|     116 |     438 | 210 |
|     116 |     439 | 210 |
|     116 |     440 | 210 |
|     116 |     441 | 210 |
|     116 |     442 | 210 |
|     116 |     443 | 210 |
|     116 |     444 | 210 |
|     116 |     445 | 210 |
|     116 |     446 | 210 |
|     116 |     447 | 210 |
|     116 |     448 | 210 |
|     116 |     449 | 210 |
|     116 |     450 | 210 |
|     116 |     451 | 210 |
|     116 |     452 | 210 |
|     116 |     453 | 210 |
|     116 |     454 | 210 |
|     116 |     455 | 210 |
|     116 |     456 | 210 |
|     117 |       1 | 511 |
|     118 |       1 | 511 |
|     119 |       1 | 439 |
|     119 |       2 | 439 |
|     119 |       3 | 439 |
|     119 |       4 | 439 |
|     119 |       5 | 439 |
|     119 |       6 | 439 |
|     119 |       7 | 439 |
|     119 |       8 | 439 |
|     119 |       9 | 439 |
|     119 |      10 | 439 |
|     119 |      11 | 439 |
|     119 |      12 | 439 |
|     119 |      13 | 439 |
|     119 |      14 | 439 |
|     119 |      15 | 439 |
|     119 |      16 | 439 |
|     119 |      17 | 439 |
|     119 |      18 | 439 |
|     119 |      19 | 439 |
|     119 |      20 | 439 |
|     119 |      21 | 439 |
|     119 |      22 | 439 |
|     119 |      23 | 210 |
|     119 |      24 | 210 |
|     119 |      25 | 210 |
|     119 |      26 | 210 |
|     119 |      27 | 210 |
|     119 |      28 | 210 |
|     119 |      29 | 210 |
|     119 |      30 | 210 |
|     119 |      31 | 210 |
|     119 |      32 | 210 |
|     120 |       1 | 439 |
|     120 |       2 | 210 |
|     120 |       3 | 210 |
|     120 |       4 | 210 |
|     120 |       5 | 210 |
|     120 |       6 | 210 |
|     120 |       7 | 210 |
|     120 |       8 | 210 |
|     120 |       9 | 210 |
|     120 |      10 | 210 |
|     120 |      11 | 210 |
|     121 |       1 | 439 |
|     121 |       2 | 439 |
|     121 |       3 | 439 |
|     121 |       4 | 439 |
|     122 |       1 | 439 |
|     122 |       2 | 439 |
|     122 |       3 | 439 |
|     122 |       4 | 439 |
|     122 |       5 | 439 |
|     122 |       6 | 439 |
|     122 |       7 | 439 |
|     122 |       8 | 439 |
|     122 |       9 | 439 |
|     122 |      10 | 439 |
|     122 |      11 | 439 |
|     122 |      12 | 439 |
|     122 |      13 | 439 |
|     122 |      14 | 439 |
|     122 |      15 | 439 |
|     122 |      16 | 439 |
|     122 |      17 | 439 |
|     122 |      18 | 439 |
|     122 |      19 | 439 |
|     122 |      20 | 439 |
|     122 |      21 | 439 |
|     122 |      22 | 439 |
|     122 |      23 | 439 |
|     122 |      24 | 439 |
|     122 |      25 | 439 |
|     122 |      26 | 439 |
|     122 |      27 | 439 |
|     123 |       1 | 439 |
|     123 |       2 | 439 |
|     123 |       3 | 439 |
|     123 |       4 | 439 |
|     123 |       5 | 439 |
|     123 |       6 | 439 |
|     123 |       7 | 439 |
|     123 |       8 | 439 |
|     123 |       9 | 439 |
|     123 |      10 | 439 |
|     123 |      11 | 439 |
|     123 |      12 | 439 |
|     123 |      13 | 439 |
|     124 |       1 | 439 |
|     124 |       2 | 439 |
|     124 |       3 | 439 |
|     124 |       4 | 439 |
|     124 |       5 | 439 |
|     124 |       6 | 439 |
|     124 |       7 | 439 |
|     124 |       8 | 439 |
|     124 |       9 | 210 |
|     124 |      10 | 210 |
|     124 |      11 | 210 |
|     124 |      12 | 210 |
|     124 |      13 | 210 |
|     125 |       1 | 439 |
|     125 |       2 | 439 |
|     125 |       3 | 439 |
|     125 |       4 | 439 |
|     125 |       5 | 439 |
|     125 |       6 | 439 |
|     125 |       7 | 439 |
|     125 |       8 | 439 |
|     125 |       9 | 439 |
|     126 |       1 | 439 |
|     126 |       2 | 439 |
|     126 |       3 | 439 |
|     128 |       1 | 439 |
|     128 |       2 | 439 |
|     128 |       3 | 439 |
|     128 |       4 | 439 |
|     128 |       5 | 439 |
|     128 |       6 | 439 |
|     128 |       7 | 439 |
|     129 |       1 | 439 |
|     129 |       2 | 439 |
|     129 |       3 | 439 |
|     129 |       4 | 439 |
|     129 |       5 | 439 |
|     129 |       6 | 439 |
|     129 |       7 | 439 |
|     129 |       8 | 439 |
|     129 |       9 | 439 |
|     129 |      10 | 439 |
|     129 |      11 | 439 |
|     129 |      12 | 439 |
|     129 |      13 | 439 |
|     129 |      14 | 439 |
|     129 |      15 | 210 |
|     129 |      16 | 210 |
|     129 |      17 | 210 |
|     129 |      18 | 210 |
|     129 |      19 | 210 |
|     130 |       1 | 439 |
|     131 |       1 | 439 |
|     131 |       2 | 439 |
|     131 |       3 | 439 |
|     133 |       1 | 439 |
|     133 |       2 | 439 |
|     133 |       3 | 439 |
|     133 |       4 | 440 |
|     133 |       5 | 440 |
|     133 |       6 | 439 |
|     133 |       7 | 439 |
|     133 |       8 | 439 |
|     133 |       9 | 439 |
|     133 |      10 | 439 |
|     133 |      11 | 439 |
|     133 |      12 | 439 |
|     133 |      13 | 439 |
|     133 |      14 | 439 |
|     133 |      15 | 439 |
|     133 |      16 | 439 |
|     133 |      17 | 439 |
|     133 |      18 | 439 |
|     133 |      19 | 439 |
|     133 |      20 | 439 |
|     133 |      21 | 439 |
|     133 |      22 | 439 |
|     133 |      23 | 440 |
|     133 |      24 | 440 |
|     133 |      25 | 440 |
|     133 |      26 | 439 |
|     133 |      27 | 439 |
|     133 |      28 | 439 |
|     133 |      29 | 439 |
|     133 |      30 | 439 |
|     133 |      31 | 439 |
|     133 |      32 | 439 |
|     133 |      33 | 439 |
|     133 |      34 | 439 |
|     133 |      35 | 439 |
|     133 |      36 | 439 |
|     133 |      37 | 439 |
|     133 |      38 | 439 |
|     133 |      39 | 439 |
|     133 |      40 | 439 |
|     133 |      41 | 439 |
|     133 |      42 | 439 |
|     133 |      43 | 439 |
|     134 |       1 | 439 |
|     134 |       2 | 439 |
|     135 |       1 | 439 |
|     135 |       2 | 439 |
|     135 |       3 | 439 |
|     136 |       1 | 210 |
|     136 |       2 | 210 |
|     137 |       2 | 210 |
|     140 |       1 | 210 |
|     140 |       2 | 210 |
|     140 |       3 | 210 |
|     140 |       4 | 210 |
|     140 |       5 | 210 |
|     140 |       6 | 210 |
|     140 |       7 | 210 |
|     140 |       8 | 210 |
|     140 |       9 | 210 |
|     140 |      10 | 210 |
|     140 |      11 | 210 |
|     140 |      12 | 210 |
|     140 |      13 | 210 |
|     140 |      14 | 210 |
|     140 |      15 | 210 |
|     140 |      16 | 210 |
|     140 |      17 | 210 |
|     140 |      18 | 210 |
|     140 |      19 | 210 |
|     140 |      20 | 210 |
|     140 |      21 | 210 |
|     140 |      22 | 210 |
|     140 |      23 | 210 |
|     140 |      24 | 210 |
|     140 |      25 | 210 |
|     140 |      26 | 210 |
|     141 |       1 | 210 |
|     141 |       2 | 210 |
|     141 |       3 | 210 |
|     141 |       4 | 210 |
|     141 |       5 | 210 |
|     141 |       6 | 210 |
|     141 |       7 | 210 |
|     142 |       1 | 210 |
|     142 |       2 | 210 |
|     142 |       3 | 210 |
|     142 |       4 | 210 |
|     142 |       5 | 210 |
|     142 |       6 | 210 |
|     142 |       7 | 210 |
|     143 |       1 | 210 |
|     143 |       2 | 210 |
|     143 |       3 | 210 |
|     144 |       1 | 210 |
|     144 |       2 | 210 |
|     144 |       3 | 210 |
|     145 |       1 | 210 |
|     145 |       2 | 210 |
|     145 |       3 | 210 |
|     145 |       4 | 210 |
|     145 |       5 | 210 |
|     145 |       6 | 210 |
+---------+---------+-----+
467 rows in set (0.19 sec)

[binf]

Are you running native innodb or did you convert to innodb? Which version of mysql are you running?

On Mon, Oct 28, 2013 at 9:39 PM, s-takehana notifications@github.comwrote:

Did you clear the entries in sig_reference before testing the test branch? Which step did you take, etc...

No, I didn't first time. I've also tried to clear sig_reference and delete only duplicate entry. But duplicate entry occurred by restarting Snort Barnyard2 same as before.

SELECT q1.sig_gid,q1.sig_sid,q1.a FROM (SELECT sig_gid,sig_sid,count(*) AS a FROM signature WHERE sig_priority='0' GROUP BY sig_gid,sig_sid) AS q1 WHERE q1.a > 1;

DB1

+---------+---------+-----+ | sig_gid | sig_sid | a | +---------+---------+-----+ | 2 | 1 | 216 | | 100 | 1 | 216 | | 100 | 2 | 216 | | 100 | 3 | 216 | | 101 | 1 | 216 | | 102 | 1 | 216 | | 102 | 2 | 216 | | 102 | 3 | 216 | | 102 | 4 | 216 | | 102 | 5 | 216 | | 102 | 6 | 216 | | 102 | 7 | 216 | | 103 | 1 | 216 | | 103 | 2 | 216 | | 104 | 1 | 216 | | 104 | 2 | 216 | | 105 | 1 | 216 | | 105 | 2 | 216 | | 105 | 3 | 216 | | 105 | 4 | 216 | | 106 | 1 | 216 | | 106 | 2 | 216 | | 106 | 3 | 216 | | 106 | 4 | 216 | | 106 | 5 | 216 | | 110 | 1 | 216 | | 110 | 2 | 216 | | 110 | 3 | 216 | | 110 | 4 | 216 | | 111 | 1 | 216 | | 111 | 2 | 216 | | 111 | 3 | 216 | | 111 | 4 | 216 | | 111 | 5 | 216 | | 111 | 6 | 216 | | 111 | 7 | 216 | | 111 | 8 | 216 | | 111 | 9 | 216 | | 111 | 10 | 216 | | 111 | 11 | 216 | | 111 | 12 | 216 | | 111 | 13 | 216 | | 111 | 14 | 216 | | 111 | 15 | 216 | | 111 | 16 | 216 | | 111 | 17 | 216 | | 111 | 18 | 216 | | 111 | 19 | 216 | | 111 | 20 | 216 | | 111 | 21 | 216 | | 111 | 22 | 216 | | 111 | 23 | 216 | | 111 | 24 | 216 | | 111 | 25 | 216 | | 112 | 1 | 216 | | 112 | 2 | 216 | | 112 | 3 | 216 | | 112 | 4 | 216 | | 113 | 1 | 216 | | 113 | 2 | 216 | | 113 | 3 | 216 | | 113 | 4 | 216 | | 113 | 5 | 216 | | 113 | 6 | 216 | | 113 | 7 | 216 | | 113 | 8 | 216 | | 113 | 9 | 216 | | 113 | 10 | 216 | | 114 | 1 | 216 | | 114 | 2 | 216 | | 114 | 3 | 216 | | 114 | 4 | 216 | | 115 | 1 | 216 | | 115 | 2 | 216 | | 115 | 3 | 216 | | 115 | 4 | 216 | | 115 | 5 | 216 | | 116 | 1 | 216 | | 116 | 2 | 216 | | 116 | 3 | 216 | | 116 | 4 | 216 | | 116 | 5 | 216 | | 116 | 6 | 216 | | 116 | 45 | 216 | | 116 | 46 | 216 | | 116 | 47 | 216 | | 116 | 54 | 216 | | 116 | 55 | 216 | | 116 | 56 | 216 | | 116 | 57 | 216 | | 116 | 58 | 216 | | 116 | 59 | 216 | | 116 | 95 | 216 | | 116 | 96 | 216 | | 116 | 97 | 216 | | 116 | 98 | 216 | | 116 | 105 | 216 | | 116 | 106 | 216 | | 116 | 107 | 216 | | 116 | 108 | 216 | | 116 | 109 | 216 | | 116 | 110 | 216 | | 116 | 111 | 216 | | 116 | 112 | 216 | | 116 | 120 | 216 | | 116 | 130 | 216 | | 116 | 131 | 216 | | 116 | 132 | 216 | | 116 | 133 | 216 | | 116 | 134 | 216 | | 116 | 140 | 216 | | 116 | 141 | 216 | | 116 | 142 | 216 | | 116 | 143 | 216 | | 116 | 150 | 216 | | 116 | 151 | 216 | | 116 | 160 | 216 | | 116 | 161 | 216 | | 116 | 162 | 216 | | 116 | 163 | 216 | | 116 | 164 | 216 | | 116 | 165 | 216 | | 116 | 170 | 216 | | 116 | 171 | 216 | | 116 | 172 | 216 | | 116 | 173 | 216 | | 116 | 174 | 216 | | 116 | 175 | 216 | | 116 | 176 | 216 | | 116 | 250 | 216 | | 116 | 251 | 216 | | 116 | 252 | 216 | | 116 | 253 | 216 | | 116 | 254 | 216 | | 116 | 255 | 216 | | 116 | 270 | 216 | | 116 | 271 | 216 | | 116 | 272 | 216 | | 116 | 273 | 216 | | 116 | 274 | 216 | | 116 | 275 | 216 | | 116 | 276 | 216 | | 116 | 277 | 216 | | 116 | 278 | 216 | | 116 | 279 | 216 | | 116 | 280 | 216 | | 116 | 281 | 216 | | 116 | 282 | 216 | | 116 | 283 | 216 | | 116 | 285 | 216 | | 116 | 286 | 216 | | 116 | 287 | 216 | | 116 | 288 | 216 | | 116 | 289 | 216 | | 116 | 290 | 216 | | 116 | 291 | 216 | | 116 | 292 | 216 | | 116 | 293 | 216 | | 116 | 294 | 216 | | 116 | 295 | 216 | | 116 | 296 | 216 | | 116 | 297 | 216 | | 116 | 298 | 216 | | 116 | 400 | 216 | | 116 | 401 | 216 | | 116 | 402 | 216 | | 116 | 403 | 216 | | 116 | 404 | 216 | | 116 | 405 | 216 | | 116 | 406 | 216 | | 116 | 407 | 216 | | 116 | 408 | 216 | | 116 | 409 | 216 | | 116 | 410 | 216 | | 116 | 411 | 216 | | 116 | 412 | 216 | | 116 | 413 | 216 | | 116 | 414 | 216 | | 116 | 415 | 216 | | 116 | 416 | 216 | | 116 | 417 | 216 | | 116 | 418 | 216 | | 116 | 419 | 216 | | 116 | 420 | 216 | | 116 | 421 | 216 | | 116 | 422 | 216 | | 116 | 423 | 216 | | 116 | 424 | 216 | | 116 | 425 | 216 | | 116 | 426 | 216 | | 116 | 427 | 216 | | 116 | 428 | 216 | | 116 | 429 | 216 | | 116 | 430 | 216 | | 116 | 431 | 216 | | 116 | 432 | 216 | | 116 | 433 | 216 | | 116 | 434 | 216 | | 116 | 435 | 216 | | 116 | 436 | 216 | | 116 | 437 | 216 | | 116 | 438 | 216 | | 116 | 439 | 216 | | 116 | 440 | 216 | | 116 | 441 | 216 | | 116 | 442 | 216 | | 116 | 443 | 216 | | 116 | 444 | 216 | | 116 | 445 | 216 | | 116 | 446 | 216 | | 116 | 447 | 216 | | 116 | 448 | 216 | | 116 | 449 | 216 | | 116 | 450 | 216 | | 116 | 451 | 216 | | 116 | 452 | 216 | | 116 | 453 | 216 | | 116 | 454 | 216 | | 116 | 455 | 216 | | 116 | 456 | 216 | | 117 | 1 | 216 | | 118 | 1 | 216 | | 119 | 1 | 216 | | 119 | 2 | 216 | | 119 | 3 | 216 | | 119 | 4 | 216 | | 119 | 5 | 216 | | 119 | 6 | 216 | | 119 | 7 | 216 | | 119 | 8 | 216 | | 119 | 9 | 216 | | 119 | 10 | 216 | | 119 | 11 | 216 | | 119 | 12 | 216 | | 119 | 13 | 216 | | 119 | 14 | 216 | | 119 | 15 | 216 | | 119 | 16 | 216 | | 119 | 17 | 216 | | 119 | 18 | 216 | | 119 | 19 | 216 | | 119 | 20 | 216 | | 119 | 21 | 216 | | 119 | 22 | 216 | | 119 | 23 | 216 | | 119 | 24 | 216 | | 119 | 25 | 216 | | 119 | 26 | 216 | | 119 | 27 | 216 | | 119 | 28 | 216 | | 119 | 29 | 216 | | 119 | 30 | 216 | | 119 | 31 | 216 | | 119 | 32 | 216 | | 120 | 1 | 216 | | 120 | 2 | 216 | | 120 | 3 | 216 | | 120 | 4 | 216 | | 120 | 5 | 216 | | 120 | 6 | 216 | | 120 | 7 | 216 | | 120 | 8 | 216 | | 120 | 9 | 216 | | 120 | 10 | 216 | | 120 | 11 | 216 | | 121 | 1 | 216 | | 121 | 2 | 216 | | 121 | 3 | 216 | | 121 | 4 | 216 | | 122 | 1 | 216 | | 122 | 2 | 216 | | 122 | 3 | 216 | | 122 | 4 | 216 | | 122 | 5 | 216 | | 122 | 6 | 216 | | 122 | 7 | 216 | | 122 | 8 | 216 | | 122 | 9 | 216 | | 122 | 10 | 216 | | 122 | 11 | 216 | | 122 | 12 | 216 | | 122 | 13 | 216 | | 122 | 14 | 216 | | 122 | 15 | 216 | | 122 | 16 | 216 | | 122 | 17 | 216 | | 122 | 18 | 216 | | 122 | 19 | 216 | | 122 | 20 | 216 | | 122 | 21 | 216 | | 122 | 22 | 216 | | 122 | 23 | 216 | | 122 | 24 | 216 | | 122 | 25 | 216 | | 122 | 26 | 216 | | 122 | 27 | 216 | | 123 | 1 | 216 | | 123 | 2 | 216 | | 123 | 3 | 216 | | 123 | 4 | 216 | | 123 | 5 | 216 | | 123 | 6 | 216 | | 123 | 7 | 216 | | 123 | 8 | 216 | | 123 | 9 | 216 | | 123 | 10 | 216 | | 123 | 11 | 216 | | 123 | 12 | 216 | | 123 | 13 | 216 | | 124 | 1 | 216 | | 124 | 2 | 216 | | 124 | 3 | 216 | | 124 | 4 | 216 | | 124 | 5 | 216 | | 124 | 6 | 216 | | 124 | 7 | 216 | | 124 | 8 | 216 | | 124 | 9 | 216 | | 124 | 10 | 216 | | 124 | 11 | 216 | | 124 | 12 | 216 | | 124 | 13 | 216 | | 125 | 1 | 216 | | 125 | 2 | 216 | | 125 | 3 | 216 | | 125 | 4 | 216 | | 125 | 5 | 216 | | 125 | 6 | 216 | | 125 | 7 | 216 | | 125 | 8 | 216 | | 125 | 9 | 216 | | 126 | 1 | 216 | | 126 | 2 | 216 | | 126 | 3 | 216 | | 128 | 1 | 216 | | 128 | 2 | 216 | | 128 | 3 | 216 | | 128 | 4 | 216 | | 128 | 5 | 216 | | 128 | 6 | 216 | | 128 | 7 | 216 | | 129 | 1 | 216 | | 129 | 2 | 216 | | 129 | 3 | 216 | | 129 | 4 | 216 | | 129 | 5 | 216 | | 129 | 6 | 216 | | 129 | 7 | 216 | | 129 | 8 | 216 | | 129 | 9 | 216 | | 129 | 10 | 216 | | 129 | 11 | 216 | | 129 | 12 | 216 | | 129 | 13 | 216 | | 129 | 14 | 216 | | 129 | 15 | 216 | | 129 | 16 | 216 | | 129 | 17 | 216 | | 129 | 18 | 216 | | 129 | 19 | 216 | | 130 | 1 | 216 | | 131 | 1 | 216 | | 131 | 2 | 216 | | 131 | 3 | 216 | | 133 | 1 | 216 | | 133 | 2 | 216 | | 133 | 3 | 216 | | 133 | 4 | 216 | | 133 | 5 | 216 | | 133 | 6 | 216 | | 133 | 7 | 216 | | 133 | 8 | 216 | | 133 | 9 | 216 | | 133 | 10 | 216 | | 133 | 11 | 216 | | 133 | 12 | 216 | | 133 | 13 | 216 | | 133 | 14 | 216 | | 133 | 15 | 216 | | 133 | 16 | 216 | | 133 | 17 | 216 | | 133 | 18 | 216 | | 133 | 19 | 216 | | 133 | 20 | 216 | | 133 | 21 | 216 | | 133 | 22 | 216 | | 133 | 23 | 216 | | 133 | 24 | 216 | | 133 | 25 | 216 | | 133 | 26 | 216 | | 133 | 27 | 216 | | 133 | 28 | 216 | | 133 | 29 | 216 | | 133 | 30 | 216 | | 133 | 31 | 216 | | 133 | 32 | 216 | | 133 | 33 | 216 | | 133 | 34 | 216 | | 133 | 35 | 216 | | 133 | 36 | 216 | | 133 | 37 | 216 | | 133 | 38 | 216 | | 133 | 39 | 216 | | 133 | 40 | 216 | | 133 | 41 | 216 | | 133 | 42 | 216 | | 133 | 43 | 216 | | 134 | 1 | 216 | | 134 | 2 | 216 | | 135 | 1 | 216 | | 135 | 2 | 216 | | 135 | 3 | 216 | | 136 | 1 | 216 | | 136 | 2 | 216 | | 137 | 2 | 216 | | 140 | 1 | 216 | | 140 | 2 | 216 | | 140 | 3 | 216 | | 140 | 4 | 216 | | 140 | 5 | 216 | | 140 | 6 | 216 | | 140 | 7 | 216 | | 140 | 8 | 216 | | 140 | 9 | 216 | | 140 | 10 | 216 | | 140 | 11 | 216 | | 140 | 12 | 216 | | 140 | 13 | 216 | | 140 | 14 | 216 | | 140 | 15 | 216 | | 140 | 16 | 216 | | 140 | 17 | 216 | | 140 | 18 | 216 | | 140 | 19 | 216 | | 140 | 20 | 216 | | 140 | 21 | 216 | | 140 | 22 | 216 | | 140 | 23 | 216 | | 140 | 24 | 216 | | 140 | 25 | 216 | | 140 | 26 | 216 | | 141 | 1 | 216 | | 141 | 2 | 216 | | 141 | 3 | 216 | | 141 | 4 | 216 | | 141 | 5 | 216 | | 141 | 6 | 216 | | 141 | 7 | 216 | | 142 | 1 | 216 | | 142 | 2 | 216 | | 142 | 3 | 216 | | 142 | 4 | 216 | | 142 | 5 | 216 | | 142 | 6 | 216 | | 142 | 7 | 216 | | 143 | 1 | 216 | | 143 | 2 | 216 | | 143 | 3 | 216 | | 144 | 1 | 216 | | 144 | 2 | 216 | | 144 | 3 | 216 | | 145 | 1 | 216 | | 145 | 2 | 216 | | 145 | 3 | 216 | | 145 | 4 | 216 | | 145 | 5 | 216 | | 145 | 6 | 216 | +---------+---------+-----+ 467 rows in set (0.06 sec)

DB2

+---------+---------+-----+ | sig_gid | sig_sid | a | +---------+---------+-----+ | 2 | 1 | 439 | | 100 | 1 | 439 | | 100 | 2 | 439 | | 100 | 3 | 439 | | 101 | 1 | 439 | | 102 | 1 | 439 | | 102 | 2 | 439 | | 102 | 3 | 439 | | 102 | 4 | 439 | | 102 | 5 | 439 | | 102 | 6 | 439 | | 102 | 7 | 439 | | 103 | 1 | 439 | | 103 | 2 | 439 | | 104 | 1 | 439 | | 104 | 2 | 439 | | 105 | 1 | 439 | | 105 | 2 | 439 | | 105 | 3 | 439 | | 105 | 4 | 439 | | 106 | 1 | 439 | | 106 | 2 | 439 | | 106 | 3 | 439 | | 106 | 4 | 439 | | 106 | 5 | 439 | | 110 | 1 | 439 | | 110 | 2 | 439 | | 110 | 3 | 439 | | 110 | 4 | 439 | | 111 | 1 | 439 | | 111 | 2 | 439 | | 111 | 3 | 439 | | 111 | 4 | 439 | | 111 | 5 | 439 | | 111 | 6 | 439 | | 111 | 7 | 439 | | 111 | 8 | 439 | | 111 | 9 | 439 | | 111 | 10 | 439 | | 111 | 11 | 439 | | 111 | 12 | 439 | | 111 | 13 | 439 | | 111 | 14 | 439 | | 111 | 15 | 439 | | 111 | 16 | 439 | | 111 | 17 | 439 | | 111 | 18 | 439 | | 111 | 19 | 439 | | 111 | 20 | 439 | | 111 | 21 | 439 | | 111 | 22 | 439 | | 111 | 23 | 439 | | 111 | 24 | 439 | | 111 | 25 | 439 | | 112 | 1 | 439 | | 112 | 2 | 439 | | 112 | 3 | 439 | | 112 | 4 | 439 | | 113 | 1 | 439 | | 113 | 2 | 439 | | 113 | 3 | 439 | | 113 | 4 | 439 | | 113 | 5 | 439 | | 113 | 6 | 439 | | 113 | 7 | 439 | | 113 | 8 | 439 | | 113 | 9 | 439 | | 113 | 10 | 439 | | 114 | 1 | 439 | | 114 | 2 | 439 | | 114 | 3 | 439 | | 114 | 4 | 439 | | 115 | 1 | 439 | | 115 | 2 | 439 | | 115 | 3 | 439 | | 115 | 4 | 439 | | 115 | 5 | 439 | | 116 | 1 | 440 | | 116 | 2 | 511 | | 116 | 3 | 511 | | 116 | 4 | 440 | | 116 | 5 | 440 | | 116 | 6 | 511 | | 116 | 45 | 440 | | 116 | 46 | 440 | | 116 | 47 | 440 | | 116 | 54 | 440 | | 116 | 55 | 440 | | 116 | 56 | 440 | | 116 | 57 | 440 | | 116 | 58 | 440 | | 116 | 59 | 440 | | 116 | 95 | 440 | | 116 | 96 | 440 | | 116 | 97 | 440 | | 116 | 98 | 440 | | 116 | 105 | 440 | | 116 | 106 | 440 | | 116 | 107 | 440 | | 116 | 108 | 440 | | 116 | 109 | 440 | | 116 | 110 | 440 | | 116 | 111 | 440 | | 116 | 112 | 440 | | 116 | 120 | 511 | | 116 | 130 | 511 | | 116 | 131 | 511 | | 116 | 132 | 511 | | 116 | 133 | 511 | | 116 | 134 | 511 | | 116 | 140 | 511 | | 116 | 141 | 511 | | 116 | 142 | 511 | | 116 | 143 | 511 | | 116 | 150 | 440 | | 116 | 151 | 440 | | 116 | 160 | 439 | | 116 | 161 | 439 | | 116 | 162 | 439 | | 116 | 163 | 439 | | 116 | 164 | 439 | | 116 | 165 | 439 | | 116 | 170 | 440 | | 116 | 171 | 440 | | 116 | 172 | 440 | | 116 | 173 | 440 | | 116 | 174 | 440 | | 116 | 175 | 440 | | 116 | 176 | 440 | | 116 | 250 | 511 | | 116 | 251 | 511 | | 116 | 252 | 511 | | 116 | 253 | 511 | | 116 | 254 | 511 | | 116 | 255 | 511 | | 116 | 270 | 439 | | 116 | 271 | 439 | | 116 | 272 | 439 | | 116 | 273 | 439 | | 116 | 274 | 511 | | 116 | 275 | 511 | | 116 | 276 | 210 | | 116 | 277 | 210 | | 116 | 278 | 210 | | 116 | 279 | 210 | | 116 | 280 | 210 | | 116 | 281 | 210 | | 116 | 282 | 210 | | 116 | 283 | 210 | | 116 | 285 | 210 | | 116 | 286 | 210 | | 116 | 287 | 210 | | 116 | 288 | 210 | | 116 | 289 | 210 | | 116 | 290 | 210 | | 116 | 291 | 440 | | 116 | 292 | 210 | | 116 | 293 | 210 | | 116 | 294 | 210 | | 116 | 295 | 210 | | 116 | 296 | 210 | | 116 | 297 | 210 | | 116 | 298 | 210 | | 116 | 400 | 511 | | 116 | 401 | 511 | | 116 | 402 | 440 | | 116 | 403 | 440 | | 116 | 404 | 439 | | 116 | 405 | 439 | | 116 | 406 | 440 | | 116 | 407 | 210 | | 116 | 408 | 210 | | 116 | 409 | 210 | | 116 | 410 | 210 | | 116 | 411 | 210 | | 116 | 412 | 210 | | 116 | 413 | 210 | | 116 | 414 | 210 | | 116 | 415 | 210 | | 116 | 416 | 210 | | 116 | 417 | 210 | | 116 | 418 | 210 | | 116 | 419 | 210 | | 116 | 420 | 210 | | 116 | 421 | 210 | | 116 | 422 | 210 | | 116 | 423 | 210 | | 116 | 424 | 210 | | 116 | 425 | 210 | | 116 | 426 | 210 | | 116 | 427 | 210 | | 116 | 428 | 210 | | 116 | 429 | 210 | | 116 | 430 | 210 | | 116 | 431 | 210 | | 116 | 432 | 210 | | 116 | 433 | 210 | | 116 | 434 | 210 | | 116 | 435 | 210 | | 116 | 436 | 210 | | 116 | 437 | 210 | | 116 | 438 | 210 | | 116 | 439 | 210 | | 116 | 440 | 210 | | 116 | 441 | 210 | | 116 | 442 | 210 | | 116 | 443 | 210 | | 116 | 444 | 210 | | 116 | 445 | 210 | | 116 | 446 | 210 | | 116 | 447 | 210 | | 116 | 448 | 210 | | 116 | 449 | 210 | | 116 | 450 | 210 | | 116 | 451 | 210 | | 116 | 452 | 210 | | 116 | 453 | 210 | | 116 | 454 | 210 | | 116 | 455 | 210 | | 116 | 456 | 210 | | 117 | 1 | 511 | | 118 | 1 | 511 | | 119 | 1 | 439 | | 119 | 2 | 439 | | 119 | 3 | 439 | | 119 | 4 | 439 | | 119 | 5 | 439 | | 119 | 6 | 439 | | 119 | 7 | 439 | | 119 | 8 | 439 | | 119 | 9 | 439 | | 119 | 10 | 439 | | 119 | 11 | 439 | | 119 | 12 | 439 | | 119 | 13 | 439 | | 119 | 14 | 439 | | 119 | 15 | 439 | | 119 | 16 | 439 | | 119 | 17 | 439 | | 119 | 18 | 439 | | 119 | 19 | 439 | | 119 | 20 | 439 | | 119 | 21 | 439 | | 119 | 22 | 439 | | 119 | 23 | 210 | | 119 | 24 | 210 | | 119 | 25 | 210 | | 119 | 26 | 210 | | 119 | 27 | 210 | | 119 | 28 | 210 | | 119 | 29 | 210 | | 119 | 30 | 210 | | 119 | 31 | 210 | | 119 | 32 | 210 | | 120 | 1 | 439 | | 120 | 2 | 210 | | 120 | 3 | 210 | | 120 | 4 | 210 | | 120 | 5 | 210 | | 120 | 6 | 210 | | 120 | 7 | 210 | | 120 | 8 | 210 | | 120 | 9 | 210 | | 120 | 10 | 210 | | 120 | 11 | 210 | | 121 | 1 | 439 | | 121 | 2 | 439 | | 121 | 3 | 439 | | 121 | 4 | 439 | | 122 | 1 | 439 | | 122 | 2 | 439 | | 122 | 3 | 439 | | 122 | 4 | 439 | | 122 | 5 | 439 | | 122 | 6 | 439 | | 122 | 7 | 439 | | 122 | 8 | 439 | | 122 | 9 | 439 | | 122 | 10 | 439 | | 122 | 11 | 439 | | 122 | 12 | 439 | | 122 | 13 | 439 | | 122 | 14 | 439 | | 122 | 15 | 439 | | 122 | 16 | 439 | | 122 | 17 | 439 | | 122 | 18 | 439 | | 122 | 19 | 439 | | 122 | 20 | 439 | | 122 | 21 | 439 | | 122 | 22 | 439 | | 122 | 23 | 439 | | 122 | 24 | 439 | | 122 | 25 | 439 | | 122 | 26 | 439 | | 122 | 27 | 439 | | 123 | 1 | 439 | | 123 | 2 | 439 | | 123 | 3 | 439 | | 123 | 4 | 439 | | 123 | 5 | 439 | | 123 | 6 | 439 | | 123 | 7 | 439 | | 123 | 8 | 439 | | 123 | 9 | 439 | | 123 | 10 | 439 | | 123 | 11 | 439 | | 123 | 12 | 439 | | 123 | 13 | 439 | | 124 | 1 | 439 | | 124 | 2 | 439 | | 124 | 3 | 439 | | 124 | 4 | 439 | | 124 | 5 | 439 | | 124 | 6 | 439 | | 124 | 7 | 439 | | 124 | 8 | 439 | | 124 | 9 | 210 | | 124 | 10 | 210 | | 124 | 11 | 210 | | 124 | 12 | 210 | | 124 | 13 | 210 | | 125 | 1 | 439 | | 125 | 2 | 439 | | 125 | 3 | 439 | | 125 | 4 | 439 | | 125 | 5 | 439 | | 125 | 6 | 439 | | 125 | 7 | 439 | | 125 | 8 | 439 | | 125 | 9 | 439 | | 126 | 1 | 439 | | 126 | 2 | 439 | | 126 | 3 | 439 | | 128 | 1 | 439 | | 128 | 2 | 439 | | 128 | 3 | 439 | | 128 | 4 | 439 | | 128 | 5 | 439 | | 128 | 6 | 439 | | 128 | 7 | 439 | | 129 | 1 | 439 | | 129 | 2 | 439 | | 129 | 3 | 439 | | 129 | 4 | 439 | | 129 | 5 | 439 | | 129 | 6 | 439 | | 129 | 7 | 439 | | 129 | 8 | 439 | | 129 | 9 | 439 | | 129 | 10 | 439 | | 129 | 11 | 439 | | 129 | 12 | 439 | | 129 | 13 | 439 | | 129 | 14 | 439 | | 129 | 15 | 210 | | 129 | 16 | 210 | | 129 | 17 | 210 | | 129 | 18 | 210 | | 129 | 19 | 210 | | 130 | 1 | 439 | | 131 | 1 | 439 | | 131 | 2 | 439 | | 131 | 3 | 439 | | 133 | 1 | 439 | | 133 | 2 | 439 | | 133 | 3 | 439 | | 133 | 4 | 440 | | 133 | 5 | 440 | | 133 | 6 | 439 | | 133 | 7 | 439 | | 133 | 8 | 439 | | 133 | 9 | 439 | | 133 | 10 | 439 | | 133 | 11 | 439 | | 133 | 12 | 439 | | 133 | 13 | 439 | | 133 | 14 | 439 | | 133 | 15 | 439 | | 133 | 16 | 439 | | 133 | 17 | 439 | | 133 | 18 | 439 | | 133 | 19 | 439 | | 133 | 20 | 439 | | 133 | 21 | 439 | | 133 | 22 | 439 | | 133 | 23 | 440 | | 133 | 24 | 440 | | 133 | 25 | 440 | | 133 | 26 | 439 | | 133 | 27 | 439 | | 133 | 28 | 439 | | 133 | 29 | 439 | | 133 | 30 | 439 | | 133 | 31 | 439 | | 133 | 32 | 439 | | 133 | 33 | 439 | | 133 | 34 | 439 | | 133 | 35 | 439 | | 133 | 36 | 439 | | 133 | 37 | 439 | | 133 | 38 | 439 | | 133 | 39 | 439 | | 133 | 40 | 439 | | 133 | 41 | 439 | | 133 | 42 | 439 | | 133 | 43 | 439 | | 134 | 1 | 439 | | 134 | 2 | 439 | | 135 | 1 | 439 | | 135 | 2 | 439 | | 135 | 3 | 439 | | 136 | 1 | 210 | | 136 | 2 | 210 | | 137 | 2 | 210 | | 140 | 1 | 210 | | 140 | 2 | 210 | | 140 | 3 | 210 | | 140 | 4 | 210 | | 140 | 5 | 210 | | 140 | 6 | 210 | | 140 | 7 | 210 | | 140 | 8 | 210 | | 140 | 9 | 210 | | 140 | 10 | 210 | | 140 | 11 | 210 | | 140 | 12 | 210 | | 140 | 13 | 210 | | 140 | 14 | 210 | | 140 | 15 | 210 | | 140 | 16 | 210 | | 140 | 17 | 210 | | 140 | 18 | 210 | | 140 | 19 | 210 | | 140 | 20 | 210 | | 140 | 21 | 210 | | 140 | 22 | 210 | | 140 | 23 | 210 | | 140 | 24 | 210 | | 140 | 25 | 210 | | 140 | 26 | 210 | | 141 | 1 | 210 | | 141 | 2 | 210 | | 141 | 3 | 210 | | 141 | 4 | 210 | | 141 | 5 | 210 | | 141 | 6 | 210 | | 141 | 7 | 210 | | 142 | 1 | 210 | | 142 | 2 | 210 | | 142 | 3 | 210 | | 142 | 4 | 210 | | 142 | 5 | 210 | | 142 | 6 | 210 | | 142 | 7 | 210 | | 143 | 1 | 210 | | 143 | 2 | 210 | | 143 | 3 | 210 | | 144 | 1 | 210 | | 144 | 2 | 210 | | 144 | 3 | 210 | | 145 | 1 | 210 | | 145 | 2 | 210 | | 145 | 3 | 210 | | 145 | 4 | 210 | | 145 | 5 | 210 | | 145 | 6 | 210 | +---------+---------+-----+ 467 rows in set (0.19 sec)

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-27272456 .

[s-takehana]

Are you running native innodb or did you convert to innodb?

native innodb

Which version of mysql are you running?

5.5.29

[binf]

oh yhea i forgot you upgraded from 2-1.11 right?

On Mon, Oct 28, 2013 at 10:28 PM, s-takehana notifications@github.comwrote:

Are you running native innodb or did you convert to innodb?

native innodb

Which version of mysql are you running?

5.5.29

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-27274199 .

[s-takehana]

Yes, I upgraded from 2-1.11.

[binf]

And for the duplicate entry i need data else its impossible to guess where things happens:

Aka same as before, means i need the crash message, the reference, the signature and the signature in sid-msg.map.

On Mon, Oct 28, 2013 at 10:29 PM, beenph beenph@gmail.com wrote:

oh yhea i forgot you upgraded from 2-1.11 right?

On Mon, Oct 28, 2013 at 10:28 PM, s-takehana notifications@github.comwrote:

Are you running native innodb or did you convert to innodb?

native innodb

Which version of mysql are you running?

5.5.29

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-27274199 .

[binf]

Tomorow evening my time i will send you a script to run that will fix your event table and your signature table so you wont have this happening.

On Mon, Oct 28, 2013 at 10:30 PM, s-takehana notifications@github.comwrote:

Yes, I upgraded from 2-1.11.

—

Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-27274310 .

[s-takehana]

Aka same as before, means i need the crash message, the reference, the signature and the signature in sid-msg.map.

Some duplicate records information are described below.

/var/log/messages

barnyard2:suricata[17692]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
barnyard2:suricata[17692]: INFO database: Defaulting Reconnect sleep time to 5 second
barnyard2:suricata[17692]: ERROR: database mysql_error: Duplicate entry '14969-1' for key 'PRIMARY'
barnyard2:suricata[17692]: #011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('187540','14969','1');]
barnyard2:suricata[17692]: Fatal Error, Quitting..
barnyard2:suricata[17692]: Barnyard2 exiting

MySQL

mysql> SELECT * FROM sig_reference WHERE sig_id = 14969;
+--------+---------+--------+
| sig_id | ref_seq | ref_id |
+--------+---------+--------+
|  14969 |       1 | 181344 |
+--------+---------+--------+
mysql> SELECT COUNT(*) FROM sig_reference WHERE ref_id = 181344;
+----------+
| COUNT(*) |
+----------+
|     3424 |
+----------+
mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 14969;
+-------------------------------------------------+---------+---------+---------+
| sig_name                                        | sig_rev | sig_sid | sig_gid |
+-------------------------------------------------+---------+---------+---------+
| ET SCAN Tomcat Auth Brute Force attempt (admin) |       7 | 2008453 |       1 |
+-------------------------------------------------+---------+---------+---------+
mysql> SELECT * FROM reference WHERE ref_id = 181344;
+--------+---------------+-----------------------------------------------+
| ref_id | ref_system_id | ref_tag                                       |
+--------+---------------+-----------------------------------------------+
| 181344 |             5 | doc.emergingthreats.net/bin/view/Main/2000005 |
+--------+---------------+-----------------------------------------------+
mysql> SELECT * FROM reference WHERE ref_id = 187540;
+--------+---------------+-----------------------------------------------+
| ref_id | ref_system_id | ref_tag                                       |
+--------+---------------+-----------------------------------------------+
| 187540 |             5 | doc.emergingthreats.net/bin/view/Main/2000005 |
+--------+---------------+-----------------------------------------------+

ET PRO ruleset

cat /pathto/suricata/rules/sid-msg.map | grep 2008453
2008453 || ET SCAN Tomcat Auth Brute Force attempt (admin) || url,doc.emergingthreats.net/2008453
cat /pathto/suricata/rules/* | grep 2008453
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:7;)
2008453 || ET SCAN Tomcat Auth Brute Force attempt (admin) || url,doc.emergingthreats.net/2008453

VRT ruleset

cat /pathto/snort/sid-msg.map | grep 2008453
(nothing)

[binf]

For this case the reference seem's to have changed.

If you look at the url returned in the query and the url in your sid-msg.map file.

So in this case just delete the reference in sig_reference and restart the process also, grep for "http://doc.emergingthreats.net/bin/view/Main/2000005" in your sid-msg.map file.

Also, are you sure your barnyard2.conf or command line is pointing to the good sid-msg.map file?

-elz

On Tue, Oct 29, 2013 at 4:59 AM, s-takehana notifications@github.comwrote:

Aka same as before, means i need the crash message, the reference, the signature and the signature in sid-msg.map.

Some duplicate records information are described below.

/var/log/messages

barnyard2:suricata[17692]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 barnyard2:suricata[17692]: INFO database: Defaulting Reconnect sleep time to 5 second barnyard2:suricata[17692]: ERROR: database mysql_error: Duplicate entry '14969-1' for key 'PRIMARY' barnyard2:suricata[17692]: #011SQL=[INSERT INTO sig_reference (ref_id,sig_id,ref_seq) VALUES ('187540','14969','1');] barnyard2:suricata[17692]: Fatal Error, Quitting.. barnyard2:suricata[17692]: Barnyard2 exiting

MySQL

mysql> SELECT * FROM sig_reference WHERE sig_id = 14969; +--------+---------+--------+ | sig_id | ref_seq | ref_id | +--------+---------+--------+ | 14969 | 1 | 181344 | +--------+---------+--------+

mysql> SELECT COUNT(_) FROM sig_reference WHERE refid = 181344; +----------+ | COUNT() | +----------+ | 3424 | +----------+

mysql> SELECT sig_name, sig_rev, sig_sid, sig_gid FROM signature WHERE sig_id = 14969; +-------------------------------------------------+---------+---------+---------+ | sig_name | sig_rev | sig_sid | sig_gid | +-------------------------------------------------+---------+---------+---------+ | ET SCAN Tomcat Auth Brute Force attempt (admin) | 7 | 2008453 | 1 | +-------------------------------------------------+---------+---------+---------+

mysql> SELECT * FROM reference WHERE ref_id = 181344; +--------+---------------+-----------------------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+-----------------------------------------------+ | 181344 | 5 | doc.emergingthreats.net/bin/view/Main/2000005 | +--------+---------------+-----------------------------------------------+

mysql> SELECT * FROM reference WHERE ref_id = 187540; +--------+---------------+-----------------------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+-----------------------------------------------+ | 187540 | 5 | doc.emergingthreats.net/bin/view/Main/2000005 | +--------+---------------+-----------------------------------------------+

ET PRO ruleset

cat /pathto/suricata/rules/sid-msg.map | grep 2008453 2008453 || ET SCAN Tomcat Auth Brute Force attempt (admin) || url,doc.emergingthreats.net/2008453

cat /pathto/suricata/rules/* | grep 2008453 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:7;) 2008453 || ET SCAN Tomcat Auth Brute Force attempt (admin) || url,doc.emergingthreats.net/2008453

VRT ruleset

cat /pathto/snort/sid-msg.map | grep 2008453 (nothing)

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-27286740 .

[s-takehana]

grep for "http://doc.emergingthreats.net/bin/view/Main/2000005" in your sid-msg.map file.

cat /pathto/suricata/rules/sid-msg.map | grep "doc.emergingthreats.net/bin/view/Main/2000005"
2000005 || ET EXPLOIT Cisco Telnet Buffer Overflow || url,doc.emergingthreats.net/bin/view/Main/2000005 || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml

Also, are you sure your barnyard2.conf or command line is pointing to the good sid-msg.map file?

Yes, I've confirmed it.

cat /pathto/suricata/barnyard2.conf | grep "config sid_file"
config sid_file:            /pathto/suricata/rules/sid-msg.map
/usr/local/bin/barnyard2 -c /pathto/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert

[binf]

On Wed, Oct 30, 2013 at 3:09 AM, s-takehana notifications@github.com wrote:

grep for "http://doc.emergingthreats.net/bin/view/Main/2000005" in your sid-msg.map file.

cat /pathto/suricata/rules/sid-msg.map | grep "doc.emergingthreats.net/bin/view/Main/2000005" 2000005 || ET EXPLOIT Cisco Telnet Buffer Overflow || url,doc.emergingthreats.net/bin/view/Main/2000005 || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml

What is you observation after the last 3 e-mail, i have asked you info, you return it but do you see that things that you return have no logical antecedants, example the reference you returrned now points to a rule, but that rule has nothing to do with the rule in the previous e-mail....

-elz

[s-takehana]

Sorry to trouble you.

I've resolved a problem of Snort Barnyard2 by below.

• Delete unnecessary records in signature table that don't refer in event table.
• Merge same signature records in signature table and update signature column in event table.

Snort Barnyard2 process is working fine.

Duplicate issue of Suricata Barnyard2, I've tried various things to database but the issue does not resolve.

There is a point which concern me, restarting Barnyard2 increases records in reference table. It seems same information.

Example:

mysql> select * from reference where ref_tag = 'www9.dyndns-server.com%3a8080/pub/botnet-links.html';
+--------+---------------+-----------------------------------------------------+
| ref_id | ref_system_id | ref_tag                                             |
+--------+---------------+-----------------------------------------------------+
| 325856 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 334997 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 347719 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 357311 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 366900 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 376489 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 382968 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 389447 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 395926 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 405515 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
| 411994 |             5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html |
+--------+---------------+-----------------------------------------------------+
11 rows in set (0.05 sec)

Do you intend the behavior?

[binf]

On Tue, Nov 5, 2013 at 4:41 AM, s-takehana notifications@github.com wrote:

Sorry to trouble you.

I've resolved a problem of Snort Barnyard2 by below.

Delete unnecessary records in signature table that don't refer in event table. Merge same signature records in signature table and update signature column in event table.

Snort Barnyard2 process is working fine.

Duplicate issue of Suricata Barnyard2, I've tried various things to database but the issue does not resolve.

Which code branch are you running? 2-1.13 or 2-1.13 bug-fix-release?

There is a point which concern me, restarting Barnyard2 increases records in reference table. It seems same information.

Example:

mysql> select * from reference where ref_tag = 'www9.dyndns-server.com%3a8080/pub/botnet-links.html'; +--------+---------------+-----------------------------------------------------+ | ref_id | ref_system_id | ref_tag | +--------+---------------+-----------------------------------------------------+ | 325856 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 334997 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 347719 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 357311 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 366900 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 376489 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 382968 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 389447 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 395926 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 405515 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | | 411994 | 5 | www9.dyndns-server.com%3a8080/pub/botnet-links.html | +--------+---------------+-----------------------------------------------------+ 11 rows in set (0.05 sec)

You can clear reference and sig_reference table and they will get repopulated at startup. But your stating that each time you restart the process you get duplicates of every records, or just that particular reference?

Do you intend the behavior?

No, it shouldn't happen.

-elz

[s-takehana]

Which code branch are you running? 2-1.13 or 2-1.13 bug-fix-release?

2-1.13 bug-fix-release.

But your stating that each time you restart the process you get duplicates of every records, or just that particular reference?

Particular reference.

I carried out the following.

• pkill barnyard2
• Clear reference and sig_reference table
• Execute Suricata Barnyard2

mysql> SELECT COUNT(*) FROM sig_reference;
+----------+
| COUNT(*) |
+----------+
|      183 |
+----------+
1 row in set (0.00 sec)
mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    18307 |
+----------+
1 row in set (0.00 sec)

• pkill barnyard2
• Execute Suricata Barnyard2

mysql> SELECT COUNT(*) FROM sig_reference;
+----------+
| COUNT(*) |
+----------+
|      183 |
+----------+
1 row in set (0.00 sec)
mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    24370 |
+----------+
1 row in set (0.00 sec)
mysql> SELECT COUNT(*) FROM (SELECT ref_tag, ref_system_id FROM reference GROUP BY ref_tag, ref_system_id  HAVING COUNT(*) = 1) a;
+----------+
| COUNT(*) |
+----------+
|    12244 |
+----------+
1 row in set (0.19 sec)
mysql> SELECT COUNT(*) * 2 FROM (SELECT ref_tag, ref_system_id FROM reference GROUP BY ref_tag, ref_system_id  HAVING COUNT(*) = 2) a;
+--------------+
| COUNT(*) * 2 |
+--------------+
|        12126 |
+--------------+
1 row in set (0.17 sec)
mysql> SELECT ref_tag, ref_system_id, COUNT(*) FROM reference GROUP BY ref_tag, ref_system_id  HAVING COUNT(*) = 1 LIMIT 5;
+----------------------------------------------------------------------------+---------------+----------+
| ref_tag                                                                    | ref_system_id | COUNT(*) |
+----------------------------------------------------------------------------+---------------+----------+
| /packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt              |             5 |        1 |
| /service.real.com/realplayer/security/12142012_player/en/                  |             5 |        1 |
| /www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt |             5 |        1 |
| /www.w3schools.com/jsref/jsref_parseInt.asp                                |             5 |        1 |
| 001be2ad158d7613554befcc4dcb3666                                           |             8 |        1 |
+----------------------------------------------------------------------------+---------------+----------+
5 rows in set (0.19 sec)
mysql> SELECT ref_tag, ref_system_id, COUNT(*) FROM reference GROUP BY ref_tag, ref_system_id  HAVING COUNT(*) = 2 LIMIT 5;
+---------+---------------+----------+
| ref_tag | ref_system_id | COUNT(*) |
+---------+---------------+----------+
| 10072   |             2 |        2 |
| 10073   |             2 |        2 |
| 10074   |             2 |        2 |
| 10076   |             2 |        2 |
| 10078   |             2 |        2 |
+---------+---------------+----------+
5 rows in set (0.17 sec)
mysql> SELECT * FROM reference_system;
+---------------+-----------------+
| ref_system_id | ref_system_name |
+---------------+-----------------+
|             1 | McAfee          |
|             2 | nessus          |
|             3 | bugtraq         |
|             4 | cve             |
|             5 | url             |
|             6 | secunia         |
|             7 | bid             |
|             8 | md5             |
|             9 | arachNIDS       |
|            10 | osvdb           |
+---------------+-----------------+
10 rows in set (0.00 sec)
mysql> SELECT DISTINCT ref_system_id FROM reference GROUP BY ref_tag, ref_system_id  HAVING COUNT(*) > 1 ORDER BY ref_system_id;
+---------------+
| ref_system_id |
+---------------+
|             2 |
|             3 |
|             4 |
|             5 |
|             9 |
+---------------+
5 rows in set (0.28 sec)
mysql> SELECT DISTINCT ref_system_id FROM reference GROUP BY ref_tag, ref_system_id  HAVING COUNT(*) = 1 ORDER BY ref_system_id;
+---------------+
| ref_system_id |
+---------------+
|             1 |
|             2 |
|             3 |
|             4 |
|             5 |
|             6 |
|             7 |
|             8 |
|             9 |
|            10 |
+---------------+
10 rows in set (0.35 sec)

[binf]

Ok but its normal that you will get more reference if you do not use the same ruleset.

If you clear tables and do the count of the reference table when you start suricata only then clear then run snort only you will get a different count and if you start either snort after suricata or suricata after snort the amount should be the same and if you start either context and restart them the count shouldn't increment unless you add rules.

Mabey your reference was corrupted before as you queries wouldn't denote what you asked about previously.

You would mabey want to do something like this to check for it:

SELECT a.ref_tag, a.ref_systemid,a.count FROM (SELECT ,count(_) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1;

On Tue, Nov 5, 2013 at 9:31 PM, s-takehana notifications@github.com wrote:

Which code branch are you running? 2-1.13 or 2-1.13 bug-fix-release?

2-1.13 bug-fix-release.

But your stating that each time you restart the process you get duplicates of every records, or just that particular reference?

Particular reference.

I carried out the following.

• pkill barnyard2
• Clear reference and sig_reference table
• Execute Suricata Barnyard2

mysql> SELECT COUNT(_) FROM sigreference; +----------+ | COUNT() | +----------+ | 183 | +----------+ 1 row in set (0.00 sec)

mysql> SELECT COUNT() FROM reference; +----------+ | COUNT() | +----------+ | 18307 | +----------+ 1 row in set (0.00 sec)

• pkill barnyard2
• Execute Suricata Barnyard2

mysql> SELECT COUNT(_) FROM sigreference; +----------+ | COUNT() | +----------+ | 183 | +----------+ 1 row in set (0.00 sec)

mysql> SELECT COUNT() FROM reference; +----------+ | COUNT() | +----------+ | 24370 | +----------+ 1 row in set (0.00 sec)

mysql> SELECT COUNT(_) FROM (SELECT ref_tag, ref_system_id FROM reference GROUP BY ref_tag, ref_systemid HAVING COUNT() = 1) a; +----------+ | COUNT(*) | +----------+ | 12244 | +----------+ 1 row in set (0.19 sec)

mysql> SELECT COUNT(_) * 2 FROM (SELECT ref_tag, ref_system_id FROM reference GROUP BY ref_tag, ref_systemid HAVING COUNT() = 2) a; +--------------+ | COUNT() \ 2 | +--------------+ | 12126 | +--------------+ 1 row in set (0.17 sec)

mysql> SELECT ref_tag, ref_systemid, COUNT() FROM reference GROUP BY ref_tag, ref_systemid HAVING COUNT() = 1 LIMIT 5; +----------------------------------------------------------------------------+---------------+----------+ | ref_tag | ref_system_id | COUNT(*) | +----------------------------------------------------------------------------+---------------+----------+ | /packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt | 5 | 1 | | /service.real.com/realplayer/security/12142012_player/en/ | 5 | 1 | | /www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt | 5 | 1 | | /www.w3schools.com/jsref/jsref_parseInt.asp | 5 | 1 | | 001be2ad158d7613554befcc4dcb3666 | 8 | 1 | +----------------------------------------------------------------------------+---------------+----------+ 5 rows in set (0.19 sec)

mysql> SELECT ref_tag, ref_systemid, COUNT() FROM reference GROUP BY ref_tag, ref_systemid HAVING COUNT() = 2 LIMIT 5; +---------+---------------+----------+ | ref_tag | ref_system_id | COUNT(*) | +---------+---------------+----------+ | 10072 | 2 | 2 | | 10073 | 2 | 2 | | 10074 | 2 | 2 | | 10076 | 2 | 2 | | 10078 | 2 | 2 | +---------+---------------+----------+ 5 rows in set (0.17 sec)

mysql> SELECT * FROM reference_system; +---------------+-----------------+ | ref_system_id | ref_system_name | +---------------+-----------------+ | 1 | McAfee | | 2 | nessus | | 3 | bugtraq | | 4 | cve | | 5 | url | | 6 | secunia | | 7 | bid | | 8 | md5 | | 9 | arachNIDS | | 10 | osvdb | +---------------+-----------------+ 10 rows in set (0.00 sec)

mysql> SELECT DISTINCT ref_system_id FROM reference GROUP BY ref_tag, ref_system_id HAVING COUNT(*) > 1 ORDER BY ref_system_id; +---------------+ | ref_system_id | +---------------+ | 2 | | 3 | | 4 | | 5 | | 9 | +---------------+ 5 rows in set (0.28 sec)

mysql> SELECT DISTINCT ref_system_id FROM reference GROUP BY ref_tag, ref_system_id HAVING COUNT(*) = 1 ORDER BY ref_system_id; +---------------+ | ref_system_id | +---------------+ | 1 | | 2 | | 3 | | 4 | | 5 | | 6 | | 7 | | 8 | | 9 | | 10 | +---------------+ 10 rows in set (0.35 sec)

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-27836106 .

[s-takehana]

• pkill barnyard2
• Clear reference and sig_reference table
• Execute Snort Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    11954 |
+----------+
1 row in set (0.00 sec)

• Execute Suricata Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    28844 |
+----------+
1 row in set (0.00 sec)

• Restart Snort Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    31954 |
+----------+
1 row in set (0.01 sec)

• pkill barnyard2
• Clear reference and sig_reference table
• Execute Suricata Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    18307 |
+----------+
1 row in set (0.00 sec)

• Execute Snort Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    28801 |
+----------+
1 row in set (0.01 sec)

• Restart Snort Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    31964 |
+----------+
1 row in set (0.00 sec)

mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count = 1 LIMIT 5;
+------------------------------------------------------------------------------------+---------------+-------+
| ref_tag                                                                            | ref_system_id | count |
+------------------------------------------------------------------------------------+---------------+-------+
| "research.sunbelt-software.com/threat_display.cfm?name=NicTech.BM2&threatid=15195" |             5 |     1 |
| "support.apple.com/kb/HT4070"                                                      |             5 |     1 |
| /packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt                      |             5 |     1 |
| /service.real.com/realplayer/security/12142012_player/en/                          |             5 |     1 |
| /www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt         |             5 |     1 |
+------------------------------------------------------------------------------------+---------------+-------+
5 rows in set (0.31 sec)
mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1 LIMIT 5;
+---------+---------------+-------+
| ref_tag | ref_system_id | count |
+---------+---------------+-------+
| 10004   |             3 |     3 |
| 1002    |             3 |     2 |
| 10039   |             3 |     3 |
| 10056   |             3 |     2 |
| 10072   |             2 |     2 |
+---------+---------------+-------+
5 rows in set (0.32 sec)

• pkill barnyard2
• Clear reference and sig_reference table
• Execute Suricata Barnyard2

mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1;
Empty set (0.16 sec)

• Restart Suricata Barnyard2

mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count = 1 AND a.ref_system_id = 2 LIMIT 5;
+---------+---------------+-------+
| ref_tag | ref_system_id | count |
+---------+---------------+-------+
| 10009   |             2 |     1 |
| 10028   |             2 |     1 |
| 10039   |             2 |     1 |
| 10041   |             2 |     1 |
| 10069   |             2 |     1 |
+---------+---------------+-------+
5 rows in set (0.20 sec)
mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1 AND a.ref_system_id = 2 LIMIT 5;
+---------+---------------+-------+
| ref_tag | ref_system_id | count |
+---------+---------------+-------+
| 10072   |             2 |     2 |
| 10073   |             2 |     2 |
| 10074   |             2 |     2 |
| 10076   |             2 |     2 |
| 10078   |             2 |     2 |
+---------+---------------+-------+
5 rows in set (0.21 sec)

cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10009"
2100337 || GPL FTP CEL overflow attempt || nessus,10009 || cve,1999-0789 || bugtraq,679 || arachnids,257
cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10028"
2100257 || GPL DNS named version attempt || nessus,10028 || arachnids,278
2101616 || GPL DNS named version attempt || nessus,10028
cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10039"
2101666 || GPL ATTACK_RESPONSE index of /cgi-bin/ response || nessus,10039
cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10072"
2100333 || GPL SCAN Finger . query || nessus,10072 || cve,1999-0198 || arachnids,130
cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10073"
2100330 || GPL SCAN Finger Redirection Attempt || nessus,10073 || cve,1999-0105 || arachnids,251
cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10074"
2100525 || GPL POLICY udp port 0 traffic || nessus,10074 || cve,1999-0675 || bugtraq,576

• Restart Suricata Barnyard2 again

mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count = 2;
Empty set (0.27 sec)

[binf]

On Wed, Nov 6, 2013 at 4:44 AM, s-takehana notifications@github.com wrote:

mysql> SELECT COUNT() FROM reference; +----------+ | COUNT() | +----------+ | 31954 | +----------+

mysql> SELECT COUNT() FROM reference; +----------+ | COUNT() | +----------+ | 31964 | +----------+

mysql> SELECT a.ref_tag, a.ref_systemid,a.count FROM (SELECT ,count(_) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1 LIMIT 5; +---------+---------------+-------+ | ref_tag | ref_system_id | count | +---------+---------------+-------+ | 10004 | 3 | 3 | | 1002 | 3 | 2 | | 10039 | 3 | 3 | | 10056 | 3 | 2 | | 10072 | 2 | 2 | +---------+---------------+-------+ 5 rows in set (0.32 sec)

Why did you put a limit on the query i sent you? The difference betwen the two senario is 10 reference.

Can you re-execute without adding a limit an the constraint on system_id?

• pkill barnyard2
• Clear reference and sig_reference table
• Execute Suricata Barnyard2

mysql> SELECT a.ref_tag, a.ref_systemid,a.count FROM (SELECT ,count(_) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1; Empty set (0.16 sec)

• Restart Suricata Barnyard2

mysql> SELECT a.ref_tag, a.ref_systemid,a.count FROM (SELECT ,count(_) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count = 1 AND a.ref_system_id = 2 LIMIT 5; +---------+---------------+-------+ | ref_tag | ref_system_id | count | +---------+---------------+-------+ | 10009 | 2 | 1 | | 10028 | 2 | 1 | | 10039 | 2 | 1 | | 10041 | 2 | 1 | | 10069 | 2 | 1 | +---------+---------------+-------+ 5 rows in set (0.20 sec)

mysql> SELECT a.ref_tag, a.ref_systemid,a.count FROM (SELECT ,count(_) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1 AND a.ref_system_id = 2 LIMIT 5; +---------+---------------+-------+ | ref_tag | ref_system_id | count | +---------+---------------+-------+ | 10072 | 2 | 2 | | 10073 | 2 | 2 | | 10074 | 2 | 2 | | 10076 | 2 | 2 | | 10078 | 2 | 2 | +---------+---------------+-------+ 5 rows in set (0.21 sec)

cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10009" 2100337 || GPL FTP CEL overflow attempt || nessus,10009 || cve,1999-0789 || bugtraq,679 || arachnids,257

cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10028" 2100257 || GPL DNS named version attempt || nessus,10028 || arachnids,278 2101616 || GPL DNS named version attempt || nessus,10028

Above you have two sid with different sid, same signature name different reference Not causal but you could check into that.

cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10039" 2101666 || GPL ATTACK_RESPONSE index of /cgi-bin/ response || nessus,10039

cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10072" 2100333 || GPL SCAN Finger . query || nessus,10072 || cve,1999-0198 || arachnids,130

cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10073" 2100330 || GPL SCAN Finger Redirection Attempt || nessus,10073 || cve,1999-0105 || arachnids,251

cat /pathto/suricata/rules/sid-msg.map | grep "nessus,10074" 2100525 || GPL POLICY udp port 0 traffic || nessus,10074 || cve,1999-0675 || bugtraq,576

Also you should compare each ref_tag from both sid-msg.map file not just suricata.

-elz

[s-takehana]

Can you re-execute without adding a limit an the constraint on system_id?

• pkill barnyard2
• Clear reference and sig_reference table
• Execute Snort Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    11954 |
+----------+
1 row in set (0.00 sec)
mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1;
Empty set (0.12 sec)

• Execute Suricata Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    28856 |
+----------+
1 row in set (0.01 sec)
mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1;
+------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+-------+
| ref_tag                                                                                                                                              | ref_system_id | count |
+------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+-------+
| 10004                                                                                                                                                |             3 |     2 |
| 10039                                                                                                                                                |             3 |     2 |
| 10078                                                                                                                                                |             3 |     2 |
| 10108                                                                                                                                                |             3 |     2 |
| 10181                                                                                                                                                |             3 |     2 |
| 10183                                                                                                                                                |             3 |     2 |
| 10224                                                                                                                                                |             3 |     2 |
| 10247                                                                                                                                                |             3 |     2 |
| 10290                                                                                                                                                |             3 |     2 |
| 10333                                                                                                                                                |             3 |     2 |
| 10499                                                                                                                                                |             3 |     2 |
| 1053                                                                                                                                                 |             3 |     2 |
| 1065                                                                                                                                                 |             3 |     2 |
| 10720                                                                                                                                                |             3 |     2 |
| 10871                                                                                                                                                |             3 |     2 |
| 10872                                                                                                                                                |             3 |     2 |
| 10976                                                                                                                                                |             3 |     2 |
| 11069                                                                                                                                                |             3 |     2 |
| 1110                                                                                                                                                 |             3 |     2 |
| 11256                                                                                                                                                |             3 |     2 |
| 113                                                                                                                                                  |             3 |     2 |
| 1148                                                                                                                                                 |             3 |     2 |
| 11523                                                                                                                                                |             3 |     2 |
| 1156                                                                                                                                                 |             3 |     2 |
| 1163                                                                                                                                                 |             3 |     2 |
| 11675                                                                                                                                                |             3 |     2 |
| 11730                                                                                                                                                |             3 |     2 |
| 11763                                                                                                                                                |             3 |     2 |
| 11775                                                                                                                                                |             3 |     2 |
| 1187                                                                                                                                                 |             3 |     2 |
| 121                                                                                                                                                  |             3 |     2 |
| 122                                                                                                                                                  |             3 |     2 |
| 124                                                                                                                                                  |             3 |     2 |
| 12484                                                                                                                                                |             3 |     2 |
| 12594                                                                                                                                                |             3 |     2 |
| 12705                                                                                                                                                |             3 |     2 |
| 12781                                                                                                                                                |             3 |     2 |
| 12793                                                                                                                                                |             3 |     2 |
| 12918                                                                                                                                                |             3 |     2 |
| 12919                                                                                                                                                |             3 |     2 |
| 12967                                                                                                                                                |             3 |     2 |
| 12995                                                                                                                                                |             3 |     2 |
| 130                                                                                                                                                  |             3 |     2 |
| 13102                                                                                                                                                |             3 |     2 |
| 13124                                                                                                                                                |             3 |     2 |
| 13217                                                                                                                                                |             3 |     2 |
| 133                                                                                                                                                  |             3 |     2 |
| 134                                                                                                                                                  |             3 |     2 |
| 13530                                                                                                                                                |             3 |     2 |
| 13544                                                                                                                                                |             3 |     2 |
| 13678                                                                                                                                                |             3 |     2 |
| 1372                                                                                                                                                 |             3 |     2 |
| 13727                                                                                                                                                |             3 |     2 |
| 13772                                                                                                                                                |             3 |     2 |
| 1387                                                                                                                                                 |             3 |     2 |
| 13940                                                                                                                                                |             3 |     2 |
| 13978                                                                                                                                                |             3 |     2 |
| 14020                                                                                                                                                |             3 |     2 |
| 14022                                                                                                                                                |             3 |     2 |
| 14042                                                                                                                                                |             3 |     2 |
| 14164                                                                                                                                                |             3 |     2 |
| 14317                                                                                                                                                |             3 |     2 |
| 14400                                                                                                                                                |             3 |     2 |
| 14548                                                                                                                                                |             3 |     2 |
| 1457                                                                                                                                                 |             3 |     2 |
| 14662                                                                                                                                                |             3 |     2 |
| 1480                                                                                                                                                 |             3 |     2 |
| 14845                                                                                                                                                |             3 |     2 |
| 1488                                                                                                                                                 |             3 |     2 |
| 1504                                                                                                                                                 |             3 |     2 |
| 15069                                                                                                                                                |             3 |     2 |
| 1532                                                                                                                                                 |             3 |     2 |
| 1548                                                                                                                                                 |             3 |     2 |
| 15509                                                                                                                                                |             3 |     2 |
| 156                                                                                                                                                  |             3 |     2 |
| 15602                                                                                                                                                |             3 |     2 |
| 16354                                                                                                                                                |             3 |     2 |
| 16396                                                                                                                                                |             3 |     2 |
| 16410                                                                                                                                                |             3 |     2 |
| 1652                                                                                                                                                 |             3 |     2 |
| 1658                                                                                                                                                 |             3 |     2 |
| 16593                                                                                                                                                |             3 |     2 |
| 16633                                                                                                                                                |             3 |     2 |
| 167                                                                                                                                                  |             3 |     2 |
| 16838                                                                                                                                                |             3 |     2 |
| 1690                                                                                                                                                 |             3 |     2 |
| 1712                                                                                                                                                 |             3 |     2 |
| 17264                                                                                                                                                |             3 |     2 |
| 17292                                                                                                                                                |             3 |     2 |
| 17378                                                                                                                                                |             3 |     2 |
| 17503                                                                                                                                                |             3 |     2 |
| 17637                                                                                                                                                |             3 |     2 |
| 17905                                                                                                                                                |             3 |     2 |
| 1806                                                                                                                                                 |             3 |     2 |
| 1816                                                                                                                                                 |             3 |     2 |
| 18198                                                                                                                                                |             3 |     2 |
| 18228                                                                                                                                                |             3 |     2 |
| 18507                                                                                                                                                |             3 |     2 |
| 18630                                                                                                                                                |             3 |     2 |
| 1912                                                                                                                                                 |             3 |     2 |
| 22487                                                                                                                                                |             3 |     2 |
| 22743                                                                                                                                                |             3 |     2 |
| 25048                                                                                                                                                |             3 |     2 |
| 30467                                                                                                                                                |             3 |     2 |
| 31814                                                                                                                                                |             3 |     2 |
| 33272                                                                                                                                                |             3 |     2 |
| 33408                                                                                                                                                |             3 |     2 |
| 37343                                                                                                                                                |             3 |     2 |
| 44530                                                                                                                                                |             3 |     2 |
| 45914                                                                                                                                                |             3 |     2 |
| 45957                                                                                                                                                |             3 |     2 |
| 45980                                                                                                                                                |             3 |     2 |
| 49100                                                                                                                                                |             3 |     2 |
| 5731                                                                                                                                                 |             3 |     2 |
| 5914                                                                                                                                                 |             3 |     2 |
| 6869                                                                                                                                                 |             3 |     2 |
| 7193                                                                                                                                                 |             3 |     2 |
| 8008                                                                                                                                                 |             3 |     2 |
| 8179                                                                                                                                                 |             3 |     2 |
| 819                                                                                                                                                  |             3 |     2 |
| 8205                                                                                                                                                 |             3 |     2 |
| 8234                                                                                                                                                 |             3 |     2 |
| 830                                                                                                                                                  |             3 |     2 |
| 8315                                                                                                                                                 |             3 |     2 |
| 8376                                                                                                                                                 |             3 |     2 |
| 8453                                                                                                                                                 |             3 |     2 |
| 8458                                                                                                                                                 |             3 |     2 |
| 8486                                                                                                                                                 |             3 |     2 |
| 8505                                                                                                                                                 |             3 |     2 |
| 8542                                                                                                                                                 |             3 |     2 |
| 8601                                                                                                                                                 |             3 |     2 |
| 864                                                                                                                                                  |             3 |     2 |
| 866                                                                                                                                                  |             3 |     2 |
| 8704                                                                                                                                                 |             3 |     2 |
| 8826                                                                                                                                                 |             3 |     2 |
| 8875                                                                                                                                                 |             3 |     2 |
| 8974                                                                                                                                                 |             3 |     2 |
| 9178                                                                                                                                                 |             3 |     2 |
| 9382                                                                                                                                                 |             3 |     2 |
| 9696                                                                                                                                                 |             3 |     2 |
| doc.emergingthreats.net/2006706                                                                                                                      |             5 |     2 |
| labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/                                            |             5 |     2 |
| labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/                                                       |             5 |     2 |
| www-01.ibm.com/support/docview.wss?uid=swg21577951                                                                                                   |             5 |     2 |
| www.abuse.ch/?p=3499                                                                                                                                 |             5 |     2 |
| www.abuse.ch/?p=3658                                                                                                                                 |             5 |     2 |
| www.adobe.com/support/security/advisories/apsa11-02.html                                                                                             |             5 |     2 |
| www.adobe.com/support/security/advisories/apsa11-04.html                                                                                             |             5 |     2 |
| www.adobe.com/support/security/advisories/apsa13-01.html                                                                                             |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb09-15.html                                                                                              |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb10-02.html                                                                                              |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb10-26.html                                                                                              |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb11-10.html                                                                                              |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb11-12.html                                                                                              |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck62.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck632.html                                                                                                         |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck633.html                                                                                                         |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck634.html                                                                                                         |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck90.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck91.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck93.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck94.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck96.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck97.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html                                                                                          |             5 |     2 |
| www.basemont.com/june_2013_exploit_kit_2                                                                                                             |             5 |     2 |
| www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf                                                          |             5 |     2 |
| www.cert.org/advisories/CA-1996-11.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-1998-05.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2001-05.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2001-19.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2001-26.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2002-01.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2002-03.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-99-08-cmsd.html                                                                                                           |             5 |     2 |
| www.cert.pl/news/5587/langswitch_lang/en                                                                                                             |             5 |     2 |
| www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf                                                                                             |             5 |     2 |
| www.corest.com/common/showdoc.php?idx=262                                                                                                            |             5 |     2 |
| www.deependresearch.org/2013/05/under-this-rock-vulnerable.html                                                                                      |             5 |     2 |
| www.econsultant.com/spyware-database/b/bugsprey-a.html                                                                                               |             5 |     2 |
| www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html                                                                                   |             5 |     2 |
| www.eeye.com/html/Research/Advisories/AD20040226.html                                                                                                |             5 |     2 |
| www.eeye.com/html/Research/Advisories/AD20040512A.html                                                                                               |             5 |     2 |
| www.emule-project.net                                                                                                                                |             5 |     2 |
| www.ethereal.com/news/item_20050504_01.html                                                                                                          |             5 |     2 |
| www.exploit-db.com/exploits/15005/                                                                                                                   |             5 |     2 |
| www.f-secure.com/en_EMEA-Labs/news-info/security-advisories/fsc-2011-3.html                                                                          |             5 |     2 |
| www.f-secure.com/weblog/archives/00002227.html                                                                                                       |             5 |     2 |
| www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf                                                                        |             5 |     2 |
| www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html |             5 |     2 |
| www.guninski.com/exim1.html                                                                                                                          |             5 |     2 |
| www.guninski.com/modproxy1.html                                                                                                                      |             5 |     2 |
| www.immunitysec.com/downloads/instantanea.pdf                                                                                                        |             5 |     2 |
| www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf                                                 |             5 |     2 |
| www.isc.org/software/dhcp/advisories/cve-2011-2748                                                                                                   |             5 |     2 |
| www.joltid.com                                                                                                                                       |             5 |     2 |
| www.kahusecurity.com/2011/new-exploit-kit-egypack/                                                                                                   |             5 |     2 |
| www.kahusecurity.com/2012/chinese-exploit-packs/                                                                                                     |             5 |     2 |
| www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/                                                                                |             5 |     2 |
| www.kb.cert.org/vuls/id/485961                                                                                                                       |             5 |     2 |
| www.kb.cert.org/vuls/id/713878                                                                                                                       |             5 |     2 |
| www.kb.cert.org/vuls/id/850785                                                                                                                       |             5 |     2 |
| www.kb.cert.org/vuls/id/875073                                                                                                                       |             5 |     2 |
| www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf                                                              |             5 |     2 |
| www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B                                                    |             5 |     2 |
| www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A                                                         |             5 |     2 |
| www.microsoft.com/technet/security/bulletin/ms05-019.mspx                                                                                            |             5 |     2 |
| www.microsoft.com/technet/security/bulletin/ms05-021.mspx                                                                                            |             5 |     2 |
| www.mozilla.org/security/announce/2011/mfsa2011-13.html                                                                                              |             5 |     2 |
| www.nextgenss.com/advisories/ora-isqlplus.txt                                                                                                        |             5 |     2 |
| www.nextgenss.com/advisories/ora_from_tz.txt                                                                                                         |             5 |     2 |
| www.nextgenss.com/advisories/ora_time_zone.txt                                                                                                       |             5 |     2 |
| www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf                                                                                |             5 |     2 |
| www.phreedom.org/solar/exploits/msasn1-bitstring/                                                                                                    |             5 |     2 |
| www.seculert.com/blog/2013/04/magic-persistent-threat.html                                                                                           |             5 |     2 |
| www.securelist.com/en/analysis/204792180/TDL4_Top_Bot                                                                                                |             5 |     2 |
| www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation                                                          |             5 |     2 |
| www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link                                   |             5 |     2 |
| www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack                                                                         |             5 |     2 |
| www.securelist.com/en/blog/434/The_Chinese_bootkit                                                                                                   |             5 |     2 |
| www.securelist.com/en/descriptions/10322834/Trojan-Banker.Win32.Fibbit.ax                                                                            |             5 |     2 |
| www.secureworks.com/research/threats/htran/                                                                                                          |             5 |     2 |
| www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf                                                                              |             5 |     2 |
| www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded                                                                                      |             5 |     2 |
| www.spywarewarrior.com/rogue_anti-spyware.htm                                                                                                        |             5 |     2 |
| www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02       |             5 |     2 |
| www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once                                                                                |             5 |     2 |
| www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2                                                                     |             5 |     2 |
| www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/                                                                  |             5 |     2 |
| www.uniras.gov.uk/vuls/2004/236929/index.htm                                                                                                         |             5 |     2 |
| www.vopsecurity.org/                                                                                                                                 |             5 |     2 |
| www.w00w00.org/files/w00aimexp/                                                                                                                      |             5 |     2 |
| www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html                                                                                               |             5 |     2 |
| www.xsec.org/index.php?module=Releases&act=view&type=1&id=16                                                                                         |             5 |     2 |
+------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+-------+
234 rows in set (0.26 sec)

[s-takehana]

• pkill barnyard2
• Clear reference and sig_reference table
• Execute Suricata Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    18319 |
+----------+
1 row in set (0.00 sec)
mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1;
Empty set (0.16 sec)

• Execute Snort Barnyard2

mysql> SELECT COUNT(*) FROM reference;
+----------+
| COUNT(*) |
+----------+
|    28813 |
+----------+
1 row in set (0.00 sec)
mysql> SELECT a.ref_tag, a.ref_system_id,a.count FROM (SELECT *,count(*) as count FROM reference GROUP BY ref_tag,ref_system_id) AS a WHERE a.count > 1;
+------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+-------+
| ref_tag                                                                                                                                              | ref_system_id | count |
+------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+-------+
| 10004                                                                                                                                                |             3 |     2 |
| 10039                                                                                                                                                |             3 |     2 |
| 10078                                                                                                                                                |             3 |     2 |
| 10108                                                                                                                                                |             3 |     2 |
| 10181                                                                                                                                                |             3 |     2 |
| 10183                                                                                                                                                |             3 |     2 |
| 10224                                                                                                                                                |             3 |     2 |
| 10247                                                                                                                                                |             3 |     2 |
| 10290                                                                                                                                                |             3 |     2 |
| 10333                                                                                                                                                |             3 |     2 |
| 10499                                                                                                                                                |             3 |     2 |
| 1053                                                                                                                                                 |             3 |     2 |
| 1065                                                                                                                                                 |             3 |     2 |
| 10720                                                                                                                                                |             3 |     2 |
| 10871                                                                                                                                                |             3 |     2 |
| 10872                                                                                                                                                |             3 |     2 |
| 10976                                                                                                                                                |             3 |     2 |
| 11069                                                                                                                                                |             3 |     2 |
| 1110                                                                                                                                                 |             3 |     2 |
| 11256                                                                                                                                                |             3 |     2 |
| 113                                                                                                                                                  |             3 |     2 |
| 1148                                                                                                                                                 |             3 |     2 |
| 11523                                                                                                                                                |             3 |     2 |
| 1156                                                                                                                                                 |             3 |     2 |
| 1163                                                                                                                                                 |             3 |     2 |
| 11675                                                                                                                                                |             3 |     2 |
| 11730                                                                                                                                                |             3 |     2 |
| 11763                                                                                                                                                |             3 |     2 |
| 11775                                                                                                                                                |             3 |     2 |
| 1187                                                                                                                                                 |             3 |     2 |
| 121                                                                                                                                                  |             3 |     2 |
| 122                                                                                                                                                  |             3 |     2 |
| 124                                                                                                                                                  |             3 |     2 |
| 12484                                                                                                                                                |             3 |     2 |
| 12594                                                                                                                                                |             3 |     2 |
| 12705                                                                                                                                                |             3 |     2 |
| 12781                                                                                                                                                |             3 |     2 |
| 12793                                                                                                                                                |             3 |     2 |
| 12918                                                                                                                                                |             3 |     2 |
| 12919                                                                                                                                                |             3 |     2 |
| 12967                                                                                                                                                |             3 |     2 |
| 12995                                                                                                                                                |             3 |     2 |
| 130                                                                                                                                                  |             3 |     2 |
| 13102                                                                                                                                                |             3 |     2 |
| 13124                                                                                                                                                |             3 |     2 |
| 13217                                                                                                                                                |             3 |     2 |
| 133                                                                                                                                                  |             3 |     2 |
| 134                                                                                                                                                  |             3 |     2 |
| 13530                                                                                                                                                |             3 |     2 |
| 13544                                                                                                                                                |             3 |     2 |
| 13678                                                                                                                                                |             3 |     2 |
| 1372                                                                                                                                                 |             3 |     2 |
| 13727                                                                                                                                                |             3 |     2 |
| 13772                                                                                                                                                |             3 |     2 |
| 1387                                                                                                                                                 |             3 |     2 |
| 13940                                                                                                                                                |             3 |     2 |
| 13978                                                                                                                                                |             3 |     2 |
| 14020                                                                                                                                                |             3 |     2 |
| 14022                                                                                                                                                |             3 |     2 |
| 14042                                                                                                                                                |             3 |     2 |
| 14164                                                                                                                                                |             3 |     2 |
| 14317                                                                                                                                                |             3 |     2 |
| 14400                                                                                                                                                |             3 |     2 |
| 14548                                                                                                                                                |             3 |     2 |
| 1457                                                                                                                                                 |             3 |     2 |
| 14662                                                                                                                                                |             3 |     2 |
| 1480                                                                                                                                                 |             3 |     2 |
| 14845                                                                                                                                                |             3 |     2 |
| 1488                                                                                                                                                 |             3 |     2 |
| 1504                                                                                                                                                 |             3 |     2 |
| 15069                                                                                                                                                |             3 |     2 |
| 1532                                                                                                                                                 |             3 |     2 |
| 1548                                                                                                                                                 |             3 |     2 |
| 15509                                                                                                                                                |             3 |     2 |
| 156                                                                                                                                                  |             3 |     2 |
| 15602                                                                                                                                                |             3 |     2 |
| 16354                                                                                                                                                |             3 |     2 |
| 16396                                                                                                                                                |             3 |     2 |
| 16410                                                                                                                                                |             3 |     2 |
| 1652                                                                                                                                                 |             3 |     2 |
| 1658                                                                                                                                                 |             3 |     2 |
| 16593                                                                                                                                                |             3 |     2 |
| 16633                                                                                                                                                |             3 |     2 |
| 167                                                                                                                                                  |             3 |     2 |
| 16838                                                                                                                                                |             3 |     2 |
| 1690                                                                                                                                                 |             3 |     2 |
| 1712                                                                                                                                                 |             3 |     2 |
| 17264                                                                                                                                                |             3 |     2 |
| 17292                                                                                                                                                |             3 |     2 |
| 17378                                                                                                                                                |             3 |     2 |
| 17503                                                                                                                                                |             3 |     2 |
| 17637                                                                                                                                                |             3 |     2 |
| 17905                                                                                                                                                |             3 |     2 |
| 1806                                                                                                                                                 |             3 |     2 |
| 1816                                                                                                                                                 |             3 |     2 |
| 18198                                                                                                                                                |             3 |     2 |
| 18228                                                                                                                                                |             3 |     2 |
| 18507                                                                                                                                                |             3 |     2 |
| 18630                                                                                                                                                |             3 |     2 |
| 1912                                                                                                                                                 |             3 |     2 |
| 22487                                                                                                                                                |             3 |     2 |
| 22743                                                                                                                                                |             3 |     2 |
| 25048                                                                                                                                                |             3 |     2 |
| 30467                                                                                                                                                |             3 |     2 |
| 31814                                                                                                                                                |             3 |     2 |
| 33272                                                                                                                                                |             3 |     2 |
| 33408                                                                                                                                                |             3 |     2 |
| 37343                                                                                                                                                |             3 |     2 |
| 44530                                                                                                                                                |             3 |     2 |
| 45914                                                                                                                                                |             3 |     2 |
| 45957                                                                                                                                                |             3 |     2 |
| 45980                                                                                                                                                |             3 |     2 |
| 49100                                                                                                                                                |             3 |     2 |
| 5731                                                                                                                                                 |             3 |     2 |
| 5914                                                                                                                                                 |             3 |     2 |
| 6869                                                                                                                                                 |             3 |     2 |
| 7193                                                                                                                                                 |             3 |     2 |
| 8008                                                                                                                                                 |             3 |     2 |
| 8179                                                                                                                                                 |             3 |     2 |
| 819                                                                                                                                                  |             3 |     2 |
| 8205                                                                                                                                                 |             3 |     2 |
| 8234                                                                                                                                                 |             3 |     2 |
| 830                                                                                                                                                  |             3 |     2 |
| 8315                                                                                                                                                 |             3 |     2 |
| 8376                                                                                                                                                 |             3 |     2 |
| 8453                                                                                                                                                 |             3 |     2 |
| 8458                                                                                                                                                 |             3 |     2 |
| 8486                                                                                                                                                 |             3 |     2 |
| 8505                                                                                                                                                 |             3 |     2 |
| 8542                                                                                                                                                 |             3 |     2 |
| 8601                                                                                                                                                 |             3 |     2 |
| 864                                                                                                                                                  |             3 |     2 |
| 866                                                                                                                                                  |             3 |     2 |
| 8704                                                                                                                                                 |             3 |     2 |
| 8826                                                                                                                                                 |             3 |     2 |
| 8875                                                                                                                                                 |             3 |     2 |
| 8974                                                                                                                                                 |             3 |     2 |
| 9178                                                                                                                                                 |             3 |     2 |
| 9382                                                                                                                                                 |             3 |     2 |
| 9696                                                                                                                                                 |             3 |     2 |
| doc.emergingthreats.net/2006706                                                                                                                      |             5 |     2 |
| labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/                                            |             5 |     2 |
| labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/                                                       |             5 |     2 |
| www-01.ibm.com/support/docview.wss?uid=swg21577951                                                                                                   |             5 |     2 |
| www.abuse.ch/?p=3499                                                                                                                                 |             5 |     2 |
| www.abuse.ch/?p=3658                                                                                                                                 |             5 |     2 |
| www.adobe.com/support/security/advisories/apsa11-02.html                                                                                             |             5 |     2 |
| www.adobe.com/support/security/advisories/apsa11-04.html                                                                                             |             5 |     2 |
| www.adobe.com/support/security/advisories/apsa13-01.html                                                                                             |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb09-15.html                                                                                              |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb10-02.html                                                                                              |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb10-26.html                                                                                              |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb11-10.html                                                                                              |             5 |     2 |
| www.adobe.com/support/security/bulletins/apsb11-12.html                                                                                              |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck62.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck632.html                                                                                                         |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck633.html                                                                                                         |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck634.html                                                                                                         |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck90.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck91.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck93.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck94.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck96.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/Policy/PolicyCheck97.html                                                                                                          |             5 |     2 |
| www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html                                                                                          |             5 |     2 |
| www.basemont.com/june_2013_exploit_kit_2                                                                                                             |             5 |     2 |
| www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf                                                          |             5 |     2 |
| www.cert.org/advisories/CA-1996-11.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-1998-05.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2001-05.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2001-19.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2001-26.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2002-01.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-2002-03.html                                                                                                              |             5 |     2 |
| www.cert.org/advisories/CA-99-08-cmsd.html                                                                                                           |             5 |     2 |
| www.cert.pl/news/5587/langswitch_lang/en                                                                                                             |             5 |     2 |
| www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf                                                                                             |             5 |     2 |
| www.corest.com/common/showdoc.php?idx=262                                                                                                            |             5 |     2 |
| www.deependresearch.org/2013/05/under-this-rock-vulnerable.html                                                                                      |             5 |     2 |
| www.econsultant.com/spyware-database/b/bugsprey-a.html                                                                                               |             5 |     2 |
| www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html                                                                                   |             5 |     2 |
| www.eeye.com/html/Research/Advisories/AD20040226.html                                                                                                |             5 |     2 |
| www.eeye.com/html/Research/Advisories/AD20040512A.html                                                                                               |             5 |     2 |
| www.emule-project.net                                                                                                                                |             5 |     2 |
| www.ethereal.com/news/item_20050504_01.html                                                                                                          |             5 |     2 |
| www.exploit-db.com/exploits/15005/                                                                                                                   |             5 |     2 |
| www.f-secure.com/en_EMEA-Labs/news-info/security-advisories/fsc-2011-3.html                                                                          |             5 |     2 |
| www.f-secure.com/weblog/archives/00002227.html                                                                                                       |             5 |     2 |
| www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf                                                                        |             5 |     2 |
| www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html |             5 |     2 |
| www.guninski.com/exim1.html                                                                                                                          |             5 |     2 |
| www.guninski.com/modproxy1.html                                                                                                                      |             5 |     2 |
| www.immunitysec.com/downloads/instantanea.pdf                                                                                                        |             5 |     2 |
| www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf                                                 |             5 |     2 |
| www.isc.org/software/dhcp/advisories/cve-2011-2748                                                                                                   |             5 |     2 |
| www.joltid.com                                                                                                                                       |             5 |     2 |
| www.kahusecurity.com/2011/new-exploit-kit-egypack/                                                                                                   |             5 |     2 |
| www.kahusecurity.com/2012/chinese-exploit-packs/                                                                                                     |             5 |     2 |
| www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/                                                                                |             5 |     2 |
| www.kb.cert.org/vuls/id/485961                                                                                                                       |             5 |     2 |
| www.kb.cert.org/vuls/id/713878                                                                                                                       |             5 |     2 |
| www.kb.cert.org/vuls/id/850785                                                                                                                       |             5 |     2 |
| www.kb.cert.org/vuls/id/875073                                                                                                                       |             5 |     2 |
| www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf                                                              |             5 |     2 |
| www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B                                                    |             5 |     2 |
| www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A                                                         |             5 |     2 |
| www.microsoft.com/technet/security/bulletin/MS05-019.mspx                                                                                            |             5 |     2 |
| www.microsoft.com/technet/security/bulletin/MS05-021.mspx                                                                                            |             5 |     2 |
| www.mozilla.org/security/announce/2011/mfsa2011-13.html                                                                                              |             5 |     2 |
| www.nextgenss.com/advisories/ora-isqlplus.txt                                                                                                        |             5 |     2 |
| www.nextgenss.com/advisories/ora_from_tz.txt                                                                                                         |             5 |     2 |
| www.nextgenss.com/advisories/ora_time_zone.txt                                                                                                       |             5 |     2 |
| www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf                                                                                |             5 |     2 |
| www.phreedom.org/solar/exploits/msasn1-bitstring/                                                                                                    |             5 |     2 |
| www.seculert.com/blog/2013/04/magic-persistent-threat.html                                                                                           |             5 |     2 |
| www.securelist.com/en/analysis/204792180/TDL4_Top_Bot                                                                                                |             5 |     2 |
| www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation                                                          |             5 |     2 |
| www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link                                   |             5 |     2 |
| www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack                                                                         |             5 |     2 |
| www.securelist.com/en/blog/434/The_Chinese_bootkit                                                                                                   |             5 |     2 |
| www.securelist.com/en/descriptions/10322834/Trojan-Banker.Win32.Fibbit.ax                                                                            |             5 |     2 |
| www.secureworks.com/research/threats/htran/                                                                                                          |             5 |     2 |
| www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf                                                                              |             5 |     2 |
| www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded                                                                                      |             5 |     2 |
| www.spywarewarrior.com/rogue_anti-spyware.htm                                                                                                        |             5 |     2 |
| www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02       |             5 |     2 |
| www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once                                                                                |             5 |     2 |
| www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2                                                                     |             5 |     2 |
| www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/                                                                  |             5 |     2 |
| www.uniras.gov.uk/vuls/2004/236929/index.htm                                                                                                         |             5 |     2 |
| www.vopsecurity.org/                                                                                                                                 |             5 |     2 |
| www.w00w00.org/files/w00aimexp/                                                                                                                      |             5 |     2 |
| www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html                                                                                               |             5 |     2 |
| www.xsec.org/index.php?module=Releases&act=view&type=1&id=16                                                                                         |             5 |     2 |
+------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+-------+
234 rows in set (0.27 sec)

[s-takehana]

Above you have two sid with different sid, same signature name different reference Not causal but you could check into that.

ET PRO sid-msg.map

awk -F '[||]' '{ print $3 }' /pathto/suricata/rules/sid-msg.map | sort | uniq -dc
      2  ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite
      2  ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt
      2  ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt
      2  ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt
      3  ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt
      2  ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host
      2  ET CURRENT_EVENTS BlackHole EK Variant PDF Download
      2  ET CURRENT_EVENTS Blackhole landing page with malicious Java applet
      2  ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)
      2  ET CURRENT_EVENTS Cushion Redirection
      2  ET CURRENT_EVENTS DHL Spam Inbound
      2  ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received
      2  ET CURRENT_EVENTS FedEX Spam Inbound
      2  ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634
      2  ET CURRENT_EVENTS GonDadEK Java Exploit Requested
      2  ET CURRENT_EVENTS Impact Exploit Kit Landing Page
      2  ET CURRENT_EVENTS Malicious iframe
      2  ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)
      2  ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java
      2  ET CURRENT_EVENTS NeoSploit - Version Enumerated - null
      2  ET CURRENT_EVENTS PHISH PayPal - Account Phished
      2  ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure
      2  ET CURRENT_EVENTS Possible Sakura Jar Download
      2  ET CURRENT_EVENTS Possible Zbot Trojan
      2  ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3
      2  ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)
      2  ET CURRENT_EVENTS Sakura encrypted binary (2)
      2  ET CURRENT_EVENTS Sakura - Payload Requested
      2  ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013
      2  ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow
      2  ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013
      2  ET CURRENT_EVENTS StyX Landing Page
      2  ET CURRENT_EVENTS SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download
      2  ET CURRENT_EVENTS TDS Sutra - cookie set
      2  ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS
      2  ET CURRENT_EVENTS TDS Sutra - redirect received
      6  ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass
      2  ET CURRENT_EVENTS Unknown Exploit Kit Landing Page
      2  ET CURRENT_EVENTS UPS Spam Inbound
      2  ET DELETED FAKEAV client requesting fake scanner page
      2  ET DELETED Zeus POST Request to CnC - content-type variation
      2  ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access
      2  ET INFO JAVA - ClassID
      2  ET INFO Obfuscated fromCharCode
      2  ET INFO Serialized Java Applet (Used by some EKs in the Wild)
      2  ET MALWARE Clickspring.net Spyware Reporting
      2  ET MALWARE Fun Web Products Smileychooser Spyware
      2  ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)
      2  ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source)
      2  ET MALWARE Spywaremover Activity
      3  ET MOBILE_MALWARE SslCrypt Server Communication
      2  ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server
      2  ET P2P LimeWire P2P Traffic
      2  ET POLICY Hotmail Compose Message Access
      2  ET POLICY Hotmail Inbox Access
      2  ET POLICY Hotmail Message Access
      2  ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device
      2  ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
      2  ET POLICY Weatherbug Activity
      2  ETPRO ACTIVEX America Online ICQ ActiveX Control DownloadAgent Function Code Execution
      2  ETPRO ACTIVEX CA eTrust Intrusion Detection CallCode ActiveX Control Code Execution
      2  ETPRO ACTIVEX EMC Captiva PixTools Distributed Imaging ActiveX Control File Creation
      2  ETPRO ACTIVEX EMC Captiva QuickScan Pro KeyHelp ActiveX Control Buffer Overflow
      2  ETPRO ACTIVEX HP LoadRunner XUpload.ocx ActiveX Control Arbitrary File Download
      2  ETPRO ACTIVEX HP Software Update Tool ActiveX Control File Overwrite
     15  ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption
      2  ETPRO ACTIVEX Microsoft Office Web Components URL Parsing Buffer Overflow
      4  ETPRO ACTIVEX Microsoft Rich Textbox Control SaveFile Insecure Method Arbitrary File Overwrite
      2  ETPRO ACTIVEX Microsoft Windows DHTML Editing Component ActiveX Control Code Execution
      2  ETPRO ACTIVEX Symantec Backup Exec for Windows Server Scheduler ActiveX Control Buffer Overflow
      2  ETPRO ACTIVEX Symantec Multiple Products AeXNSConsoleUtilities Buffer Overflow 1
      2  ETPRO ACTIVEX Symantec Multiple Products AeXNSConsoleUtilities Buffer Overflow 2
      3  ETPRO ACTIVEX VMware COM API ActiveX Control Buffer Overflow
      2  ETPRO ACTIVEX VMware Workstation ActiveX Control vielib.dll Command Execution
      2  ETPRO ACTIVEX Yahoo Messenger ActiveX Control Command Execution
      2  ETPRO DELETED Adobe Flash Player JPG Embedded SWF Processing Heap Overflow
      4  ETPRO DELETED GE (Event 41)Config File Change
      2  ETPRO DELETED JPEG/TIFF Microsoft Windows Color Management Module Buffer Overflow
      2  ETPRO DELETED Microsoft Office XP URL Handling Buffer Overflow
      2  ETPRO DELETED Microsoft Powerpoint pp4x322.dll Insecure Library Loading
      2  ETPRO DELETED Samba Unicode Filename Buffer Overflow
      4  ETPRO DELETED Samba Unicode Filename Buffer Overflow
      2  ETPRO DELETED Samba Wildcard Filename Matching Denial of Service
      2  ETPRO DELETED SCHWEITZER (Event 41)Config File Change
      2  ETPRO DELETED Win32.Banker.bjxx Checkin
     11  ETPRO DOS Active Directory DOS CVE-2013-3868
      2  ETPRO DOS ICMP with truncated IPv6 header CVE-2013-3182
      3  ETPRO DOS Microsoft Windows MSDTC Denial of Service Vulnerability
      2  ETPRO EXPLOIT CA BrightStor ARCServe Backup LGServer Authentication Password Buffer Overflow
      2  ETPRO EXPLOIT CA BrightStor ARCserve Backup Media Server SUN-RPC Procedure 191 Code Execution (Published Exploit)
      4  ETPRO EXPLOIT CA BrightStor ARCserve Backup Message Engine Opcode 117 Buffer Overflow
      2  ETPRO EXPLOIT CA License Software GCR Buffer Overflow
      5  ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow
      2  ETPRO EXPLOIT CA Products UDP Discovery Service Remote Buffer Overflow 2
      2  ETPRO EXPLOIT CVS Entry Line Flag Remote Heap Overflow
      2  ETPRO EXPLOIT HP Data Protector OmniInet Service NULL Dereference Denial of Service
      2  ETPRO EXPLOIT HP OpenView Network Node Manager nnmRptConfig.exe nameParams text1 Buffer Overflow
      3  ETPRO EXPLOIT HP OpenView Performance Insight Server Backdoor Account Code Execution
      3  ETPRO EXPLOIT IBM Informix Dynamic Server DBINFO Stack Buffer Overflow
      2  ETPRO EXPLOIT IBM Informix Dynamic Server SET ENVIRONMENT Stack Buffer Overflow
      2  ETPRO EXPLOIT Microsoft Windows Active Directory Crafted LDAP Request Buffer Overflow
      2  ETPRO EXPLOIT MIT Kerberos KDC Authentication Denial of Service
      2  ETPRO EXPLOIT Multiple Vendors librpc.dll Stack Buffer Overflow
      2  ETPRO EXPLOIT Novell GroupWise Agents HTTP 7100 Request Remote Code Execution
      2  ETPRO EXPLOIT Novell GroupWise Agents HTTP 7101 Request Remote Code Execution
      2  ETPRO EXPLOIT Symantec VERITAS NetBackup Volume Manager Buffer Overflow
      2  ETPRO EXPLOIT Trend Micro ServerProtect Crafted RPC Call CMON_NetTestConnection Buffer Overflow
      2  ETPRO EXPLOIT Trend Micro ServerProtect RPC ENG_SetRealTimeScanConfigInfo Buffer Overflow
      2  ETPRO EXPLOIT Veritas Backup Exec Server Remote Registry Access
      2  ETPRO MALWARE Adware.DirectDownloader Checkin
      2  ETPRO MALWARE Adware/MediaGet Checkin
      2  ETPRO MOBILE_MALWARE Android Unknown Malware Checkin
      2  ETPRO NETBIOS Microsoft Powerpoint pp4x322.dll Insecure Library Loading - SMB ASCII
      2  ETPRO NETBIOS Microsoft Powerpoint pp4x322.dll Insecure Library Loading - SMB-DS ASCII
      2  ETPRO NETBIOS Microsoft Powerpoint pp4x322.dll Insecure Library Loading - SMB-DS Unicode
      2  ETPRO NETBIOS Microsoft Powerpoint pp4x322.dll Insecure Library Loading - SMB Unicode
      2  ETPRO NETBIOS Microsoft Windows SMBv2 Infinite Loop Denial of Service
      5  ETPRO NETBIOS Novell Client nwspool.dll EnumPrinters Function Stack Buffer Overflow
      2  ETPRO RPC Sun Solaris rpc.ypupdated Command Injection Vulnerability
      3  ETPRO SCADA CONTROL MICROSYSTEMS (Event 10) Lock PLC Attempt
      3  ETPRO SCADA CONTROL MICROSYSTEMS (Event 12) Remote Mode Change Attempt
      4  ETPRO SCADA DIRECTLOGIC (Event 10)Lock PLC Attempt
      4  ETPRO SCADA DIRECTLOGIC (Event 11)Unlock PLC Attempt
      2  ETPRO SCADA DIRECTLOGIC (Event 12)Remote Mode Change Attempt
      2  ETPRO SCADA DIRECTLOGIC (Event 26)Flash Erase
      4  ETPRO SCADA DIRECTLOGIC (Event 27)Firmware Change
      2  ETPRO SCADA DIRECTLOGIC (Event 29)Software Upload
      2  ETPRO SCADA DIRECTLOGIC (Event 31)Reboot or Restart
      2  ETPRO SCADA DIRECTLOGIC (Event 32)Change Time Attempt
      2  ETPRO SCADA DIRECTLOGIC (Event 33)Change Date Attempt
      4  ETPRO SCADA DIRECTLOGIC (Event 39)IP Address Change Attempt
      2  ETPRO SCADA DIRECTLOGIC (Event 45)Software Download
      2  ETPRO SCADA DIRECTLOGIC (Event 47)Device Poll All
      2  ETPRO SCADA DIRECTLOGIC (Event 50)Feature Request
      2  ETPRO SCADA PROSOFT (Event 15) Station Number Error
      2  ETPRO SCADA RealFlex RealWin FC_RFUSER_FCS_LOGIN Buffer Overflow
      2  ETPRO SCADA SCHWEITZER (Event 03)Logout
      2  ETPRO SCADA SCHWEITZER SEL2032-Failed Config File Change
      2  ETPRO SCADA_SPECIAL CONTROL MICROSYSTEMS (Event 31) Reboot or Restart
      2  ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Authorized Client
      2  ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Unauthorized Client
      2  ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Authorized Client
      2  ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Unauthorized Client
      2  ETPRO SCADA_SPECIAL PROSOFT (Event 31) Reboot or Restart
      2  ETPRO SCADA_SPECIAL ROCKWELL (Event 10)Lock PLC Attempt
      3  ETPRO SCADA_SPECIAL ROCKWELL (Event 12)Remote Mode Change Attempt
      3  ETPRO SCADA_SPECIAL ROCKWELL (Event 24) View Device Status
      2  ETPRO SCADA_SPECIAL ROCKWELL (Event 31)Reboot or Restart
      4  ETPRO SCADA_SPECIAL SCHWEITZER (Event 31) Reboot or Restart
      2  ETPRO SQL MySQL XML Functions Scalar XPath Denial of Service
      2  ETPRO TROJAN PWS.Win32/OnLineGames.KQ Checkin
      2  ETPRO TROJAN Trojan-Spy.Win32.KeyLogger.acqh Checkin
      2  ETPRO TROJAN Trojan.Win32.VBKrypt.cugq Checkin
      3  ETPRO TROJAN Unknown Checkin
      2  ETPRO TROJAN Unknown Chinese Malware getting config INSTALL
     14  ETPRO TROJAN Unknown Trojan Checkin
      2  ETPRO TROJAN Win32/Busky.gen Checkin
      2  ETPRO TROJAN Win32/Injector.Autoit.IN Checkin
      2  ETPRO TROJAN Win32/Kryptik.UOM Checkin
      2  ETPRO TROJAN Win32/Meredrop Checkin
      2  ETPRO TROJAN Win32/TrojanDownloader.Banload.QYE Checkin
      2  ETPRO WEB_CLIENT ACD Systems ACDSee Products XPM Values Section Buffer Overflow
      2  ETPRO WEB_CLIENT Adobe Audition Session File Stack Buffer Overflow 1
      2  ETPRO WEB_CLIENT Adobe Audition Session File Stack Buffer Overflow 2
      2  ETPRO WEB_CLIENT Adobe Shockwave Director tSAC Chunk Parsing Memory Corruption
      4  ETPRO WEB_CLIENT Apple QuickTime MOV File String Handling Integer Overflow
      2  ETPRO WEB_CLIENT Apple QuickTime RTSP URL Buffer Overflow
      2  ETPRO WEB_CLIENT CVE-2013-0092 GetMarkUpPtr Use After free 2
      2  ETPRO WEB_CLIENT IBM Informix Client SDK NFX File Processing Stack Buffer Overflow
      2  ETPRO WEB_CLIENT Interent Explorer onscroll CVE-2013-3123
      2  ETPRO WEB_CLIENT Internet Explorer Use-after-free attempt
      2  ETPRO WEB_CLIENT Microsoft Excel File Importing Code Execution
      2  ETPRO WEB_CLIENT Microsoft Excel Set Font Handling Code Execution
      2  ETPRO WEB_CLIENT Microsoft Internet Explorer CPasteCommand Use After Free 1
      2  ETPRO WEB_CLIENT Microsoft Internet Explorer CPasteCommand Use After Free 2
     16  ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
      2  ETPRO WEB_CLIENT Microsoft OLE Automation String Manipulation Heap Overflow
      2  ETPRO WEB_CLIENT Microsoft Powerpoint pp4x322.dll Insecure Library Loading
      2  ETPRO WEB_CLIENT RealNetworks RealPlayer Invalid Chunk Size Heap Overflow
      2  ETPRO WEB_CLIENT Xpdf Splash DrawImage Integer Overflow
      2  ETPRO WEB_SPECIFIC_APPS Quest Software Big Brother Arbitrary File Deletion and Overwriting
      2  ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1
      2  ET SCAN Possible SQLMAP Scan
      5  ET SHELLCODE Possible Call with No Offset TCP Shellcode
      3  ET SHELLCODE Possible Call with No Offset UDP Shellcode
      2  ET TROJAN Drive DDoS Tool byte command received key=okokokjjk
      2  ET TROJAN Generic - POST To .php w/Extended ASCII Characters
      3  ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin
      2  ET TROJAN Poison Ivy Variant Jan 24 2013
      2  ET TROJAN Potential DNS Command and Control via TXT queries
      2  ET TROJAN Request for fake postal receipt from e-mail link
      2  ET TROJAN Sality - Fake Opera User-Agent
      3  ET TROJAN SSL Cert Used In Unknown Exploit Kit
      2  ET TROJAN STARSYPOUND Client Checkin
      2  ET TROJAN Trojan.BlackRev Download Executable
      2  ET TROJAN Virut Counter/Check-in
      2  ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server
      2  ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific
      2  ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt
      2  ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt
      3  ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability
      2  ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action
      2  ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect
      2  ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction
      2  ET WEB_SERVER Possible Perl Shell in HTTP POST
      2  ET WEB_SERVER WebShell - Generic - c99shell based header
      2  ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat
      2  ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt
      2  ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt
      4  ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability
      2  ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt
      2  ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR
      2  ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt
      2  ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT
      2  ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII
      2  ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE
      2  ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT
      2  ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT
      2  ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT
      2  ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE
      2  ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII
      2  ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE
      2  ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT
      2  ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT
      2  ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT
      2  ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE
      2  ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt
      2  ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII
      2  ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT
      2  ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT
      2  ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2)
      2  ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)
      2  ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt
      2  ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability
      2  ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
      2  ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt
      3  FILE magic
      2  GPL DELETED xp_displayparamstmt possible buffer overflow
      2  GPL DELETED xp_enumresultset possible buffer overflow
      2  GPL DELETED xp_peekqueue possible buffer overflow
      2  GPL DELETED xp_proxiedmetadata possible buffer overflow
      2  GPL DELETED xp_setsqlsecurity possible buffer overflow
      2  GPL DELETED xp_showcolv possible buffer overflow
      2  GPL DELETED xp_updatecolvbm possible buffer overflow
      2  GPL DNS named authors attempt
      2  GPL DNS named version attempt
      4  GPL EXPLOIT kadmind buffer overflow attempt
      2  GPL EXPLOIT successful kadmind buffer overflow attempt
      3  GPL EXPLOIT unicode directory traversal attempt
      2  GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt
      2  GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt
      2  GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt
      2  GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt
      2  GPL NETBIOS SMB-DS winreg andx bind attempt
      2  GPL NETBIOS SMB-DS winreg bind attempt
      2  GPL NETBIOS SMB-DS winreg unicode andx bind attempt
      2  GPL NETBIOS SMB-DS winreg unicode bind attempt
      2  GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt
      2  GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt
      2  GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt
      2  GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt
      2  GPL NETBIOS SMB winreg andx bind attempt
      2  GPL NETBIOS SMB winreg bind attempt
      2  GPL NETBIOS SMB winreg unicode andx bind attempt
      2  GPL NETBIOS SMB winreg unicode bind attempt
      2  GPL P2P GNUTella client request
      2  GPL RPC rlogin login failure
      2  GPL SCAN cybercop os probe
      2  GPL SHELLCODE HP-UX NOOP
      2  GPL SHELLCODE SGI NOOP
      3  GPL SHELLCODE sparc NOOP
      2  GPL SQL dbms_offline_og.begin_load buffer overflow attempt
      2  GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt
      2  GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt
      2  GPL SQL sa login failed
      2  GPL SQL shellcode attempt
      2  GPL SQL sp_delete_alert log file deletion
      3  GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include

[s-takehana]

VRT sid-msg.map(Because this is big, I extract)

awk -F '[||]' '{ print $3 }' /pathto/snort/sid-msg.map | sort | uniq -dc
      2  APP-DETECT Dropbox desktop software in use
      2  APP-DETECT Dynamic Internet Technology Freegate application executable download attempt
      2  APP-DETECT Dynamic Internet Technology Freegate application zip download attempt
      3  APP-DETECT Teamviewer remote connection attempt
      2  APP-DETECT Thunder p2p application activity detection
      2  BLACKLIST DNS request for known malware domain aar.bigdepression.net
      2  BLACKLIST DNS request for known malware domain bah001.blackcake.net
      2  BLACKLIST DNS request for known malware domain caci2.infosupports.com
      2  BLACKLIST DNS request for known malware domain catalog.earthsolution.org
      2  BLACKLIST DNS request for known malware domain doa.bigdepression.net
      2  BLACKLIST DNS request for known malware domain epod.businessconsults.net
      2  BLACKLIST DNS request for known malware domain ghma.earthsolution.org
      2  BLACKLIST DNS request for known malware domain hapyy2010.lflinkup.net
      2  BLACKLIST DNS request for known malware domain hav.earthsolution.org
      2  BLACKLIST DNS request for known malware domain info.businessconsults.net
      2  BLACKLIST DNS request for known malware domain inter.earthsolution.org
      2  BLACKLIST DNS request for known malware domain java.earthsolution.org
      2  BLACKLIST DNS request for known malware domain leets.hugesoft.org
      2  BLACKLIST DNS request for known malware domain lucy2.businessconsults.net
      2  BLACKLIST DNS request for known malware domain lucy2.infosupports.com
      2  BLACKLIST DNS request for known malware domain lucy.blackcake.net
      2  BLACKLIST DNS request for known malware domain lucy.businessconsults.net
      2  BLACKLIST DNS request for known malware domain mantech.blackcake.net
      2  BLACKLIST DNS request for known malware domain news.businessconsults.net
      2  BLACKLIST DNS request for known malware domain ou2.infosupports.com
      2  BLACKLIST DNS request for known malware domain ou3.infosupports.com
      2  BLACKLIST DNS request for known malware domain ou7.infosupports.com
      2  BLACKLIST DNS request for known malware domain pop.businessconsults.net
      2  BLACKLIST DNS request for known malware domain pop.dnsweb.org
      2  BLACKLIST DNS request for known malware domain qiao1.bigdepression.net
      2  BLACKLIST DNS request for known malware domain qiao2.bigdepression.net
      2  BLACKLIST DNS request for known malware domain qiao3.bigdepression.net
      2  BLACKLIST DNS request for known malware domain qiao4.bigdepression.net
      2  BLACKLIST DNS request for known malware domain qiao5.bigdepression.net
      2  BLACKLIST DNS request for known malware domain qiao6.bigdepression.net
      2  BLACKLIST DNS request for known malware domain quick.earthsolution.org
      2  BLACKLIST DNS request for known malware domain quiet.earthsolution.org
      2  BLACKLIST DNS request for known malware domain rouji.freespirit.acmetoy.com
      2  BLACKLIST DNS request for known malware domain slnoa.newsonet.net
      2  BLACKLIST DNS request for known malware domain sos.businessconsults.net
      2  BLACKLIST DNS request for known malware domain sports.businessconsults.net
      2  BLACKLIST DNS request for known malware domain srs.infosupports.com
      2  BLACKLIST DNS request for known malware domain ssa.businessconsults.net
      2  BLACKLIST DNS request for known malware domain sys.businessconsults.net
      2  BLACKLIST DNS request for known malware domain trb.arrowservice.net
      2  BLACKLIST DNS request for known malware domain visual.earthsolution.org
      2  BLACKLIST DNS request for known malware domain vop.earthsolution.org
      2  BLACKLIST DNS request for known malware domain vope.purpledaily.com
      2  BLACKLIST DNS request for known malware domain www2.wikaba.com
      2  BLACKLIST DNS request for known malware domain yang1.infosupports.com
      2  BLACKLIST DNS request for known malware domain yang2.infosupports.com
      2  BLACKLIST User-Agent known malicious user-agent string GPRecover
      2  BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent
      2  BROWSER-CHROME Google Chrome Uninitialized bug_report Pointer Code Execution
      2  BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt
      4  BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow
      3  BROWSER-FIREFOX Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt
      2  BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt
      2  BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt
      2  BROWSER-FIREFOX Mozilla Firefox Animated PNG Processing integer overflow attempt
      4  BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt
      2  BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt
      2  BROWSER-FIREFOX Mozilla Firefox Chrome Page Loading Restriction Bypass attempt
      2  BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt
      2  BROWSER-FIREFOX Mozilla Firefox defineSetter function pointer memory corruption attempt
      4  BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt
      2  BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt
      2  BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption
      6  BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt
      2  BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt
      2  BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution
      4  BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt
      2  BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt
      2  BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt
      2  BROWSER-FIREFOX Mozilla Firefox Javascript Engine Information Disclosure attempt
      2  BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt
      2  BROWSER-FIREFOX Mozilla Firefox tag order memory corruption attempt
      2  BROWSER-FIREFOX Mozilla Multiple Products MozOrientation loading attempt
      2  BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt
      2  BROWSER-FIREFOX Mozilla Multiple Products xdomain object information disclosure attempt
      2  BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt
      2  BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt
      2  BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt
      2  BROWSER-FIREFOX Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt
      2  BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt
      2  BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt
      2  BROWSER-IE Microsoft Internet Explorer 6 usp10.dll Bengali font stack overrun attempt
      2  BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt
      4  BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt
      2  BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt
      2  BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt
      2  BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt
      4  BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt
      2  BROWSER-IE Microsoft Internet Explorer 9 null character in string information disclosure attempt
      2  BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt
      8  BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer 9 style properties use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer 9 table th element use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer 9 use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer AddOption use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer asynchronous code execution attempt
      2  BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt
      2  BROWSER-IE Microsoft Internet Explorer button object use after free memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt
      4  BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer CElement use-after-free attempt
     11  BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer CHTMLEditor use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt
      2  BROWSER-IE Microsoft Internet Explorer compatibility mode invalid memory access attempt
     10  BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt
      6  BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt
      3  BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt
      2  BROWSER-IE Microsoft Internet Explorer CSS import cross-domain restriction bypass attempt
      2  BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
      2  BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt
      4  BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt
      4  BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt
      2  BROWSER-IE Microsoft Internet Explorer CTreePos use after free memory corruption attempt
      4  BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt
      2  BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt
     12  BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer display node use after free attempt
      5  BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer DOM object cache management memory corruption attempt
      6  BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt
      2  BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt
      2  BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt
      2  BROWSER-IE Microsoft Internet Explorer hgroup element DOM reset use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer htc file use after free attempt
      3  BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt
      3  BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt
      2  BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt
      3  BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt
      5  BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer iframe execCommand use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer iframe use after free attempt
      3  BROWSER-IE Microsoft Internet Explorer image download spoofing attempt
      3  BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt
      3  BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer invalid Shift_JIS character xss attempt
      2  BROWSER-IE Microsoft Internet Explorer javascript apply method type confusion attempt
      2  BROWSER-IE Microsoft Internet Explorer javascript call method type confusion attempt
      2  BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt
      8  BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt
      2  BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt
      2  BROWSER-IE Microsoft Internet Explorer malformed table tag memory corruption attempt
      3  BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal
      2  BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt
      2  BROWSER-IE Microsoft Internet Explorer MsgBox arbitrary code execution attempt
      2  BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt
      2  BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt
      5  BROWSER-IE Microsoft Internet Explorer null object access attempt
      2  BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt
      6  BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer orphan DOM objects memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer range markup switch use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt
      4  BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt
      5  BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt
      3  BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt
      2  BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt
      4  BROWSER-IE Microsoft Internet Explorer sign extension vulnerability exploitation attempt
      4  BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer static text range overflow attempt
      2  BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt
      2  BROWSER-IE Microsoft Internet Explorer telnet.exe file load exploit attempt
      2  BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt
      7  BROWSER-IE Microsoft Internet Explorer use after free attempt
      6  BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt
      2  BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt
      2  BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt
      3  BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt
      2  BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value
      2  BROWSER-IE Microsoft multiple product toStaticHTML XSS attempt
      2  BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt
      2  BROWSER-IE Microsoft Windows Vector Markup Language imagedata page deconstruction attempt
      2  BROWSER-OTHER HTML5 canvas element heap spray attempt
      2  BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt
      2  BROWSER-OTHER Opera file URI handling buffer overflow
      2  BROWSER-OTHER Opera use after free attempt
      2  BROWSER-PLUGINS AcroPDF.PDF ActiveX clsid access
      2  BROWSER-PLUGINS AcroPDF.PDF ActiveX function call access
      2  BROWSER-PLUGINS AdminStudio and InstallShield ActiveX clsid access attempt
      2  BROWSER-PLUGINS AdminStudio and InstallShield ActiveX function call access attempt
      2  BROWSER-PLUGINS AOL Radio AmpX ActiveX clsid access
      2  BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt
      2  BROWSER-PLUGINS ASUS Net4Switch ipswcom.dll ActiveX clsid access
      2  BROWSER-PLUGINS ASUS Net4Switch ipswcom.dll ActiveX function call access
      2  BROWSER-PLUGINS Autodesk iDrop ActiveX clsid access
      3  BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX clsid access
      3  BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX function call access
      2  BROWSER-PLUGINS Black Ice Barcode SDK ActiveX clsid access
      2  BROWSER-PLUGINS Black Ice Barcode SDK ActiveX function call access
      4  BROWSER-PLUGINS Chilkat Socket ActiveX clsid access
      2  BROWSER-PLUGINS Cisco AnyConnect ActiveX clsid access
      2  BROWSER-PLUGINS Cisco Linksys PlayerPT ActiveX clsid access attempt
      2  BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX clsid access
      2  BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX function call access
      2  BROWSER-PLUGINS Citrix Access Gateway plug-in ActiveX code execution attempt
      2  BROWSER-PLUGINS ClearQuest session stack corruption attempt
      2  BROWSER-PLUGINS Computer Associates gui_cm_ctrls ActiveX clsid access
      5  BROWSER-PLUGINS DigWebX MSN ActiveX object access
      2  BROWSER-PLUGINS EasyMail Objects Activex remote buffer overflow attempt
      2  BROWSER-PLUGINS EMC ApplicationXtender Desktop ActiveX function call attempt
      2  BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX clsid access attempt
      2  BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt
      4  BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt
      8  BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access
      2  BROWSER-PLUGINS HP Easy Printer Care Software ActiveX function call access
      4  BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt
      7  BROWSER-PLUGINS HP Photo Creative ActiveX clsid access
      2  BROWSER-PLUGINS Husdawg System Requirements Lab Control ActiveX clsid access
      2  BROWSER-PLUGINS IBM Lotus iNotes buffer overflow ActiveX clsid access
      2  BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow attempt
      2  BROWSER-PLUGINS IBM Lotus SameTime STJNILoader ActiveX clsid access attempt
      2  BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access
      2  BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access
      2  BROWSER-PLUGINS IBM VsVIEW ActiveX control directory traversal attempt
      2  BROWSER-PLUGINS Icona SpA C6 Messenger Downloader ActiveX clsid access
      2  BROWSER-PLUGINS ICONICS WebHMI ActiveX clsid access attempt
      2  BROWSER-PLUGINS iseemedia LPViewer ActiveX clsid access
      2  BROWSER-PLUGINS iseemedia LPViewer ActiveX function call access
      2  BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt
      2  BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt
      4  BROWSER-PLUGINS Java security warning bypass through JWS attempt
      2  BROWSER-PLUGINS Kodak Image Editing ActiveX object access
      2  BROWSER-PLUGINS McAfee Security as a Service ActiveX clsid access attempt
      2  BROWSER-PLUGINS McAfee Security as a Service ActiveX function call attempt
      2  BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX clsid attempt
      2  BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX function call attempt
      6  BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access
      4  BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access
      6  BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access
      2  BROWSER-PLUGINS Microsoft Internet Explorer Active Setup ActiveX object access
      2  BROWSER-PLUGINS Microsoft Internet Explorer Blnmgrps.dll ActiveX object access
      3  BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt
     24  BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt
      2  BROWSER-PLUGINS Microsoft Internet Explorer Time DATIME.DLL ActiveX clsid access
      2  BROWSER-PLUGINS Microsoft Rich TextBox ActiveX clsid access
      2  BROWSER-PLUGINS Microsoft Silverlight inheritance restriction bypass
      2  BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX clsid access
      2  BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX function call access
      2  BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access
      2  BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt
      2  BROWSER-PLUGINS Microsoft Windows Media Services CallHTMLHelp ActiveX buffer overflow attempt
      2  BROWSER-PLUGINS Microsoft Windows MsnPUpld ActiveX object access
     11  BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt
      2  BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access
      2  BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access
      2  BROWSER-PLUGINS Microsoft Windows Terminal Services Advanced Client ActiveX object access
      2  BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access
      2  BROWSER-PLUGINS Novell iPrint ActiveX clsid access
      2  BROWSER-PLUGINS Novell iPrint ActiveX function call access
      2  BROWSER-PLUGINS Oracle AutoVue ActiveX control directory traversal attempt
      2  BROWSER-PLUGINS Oracle Document Capture ActiveX function call access
      2  BROWSER-PLUGINS Oracle Java Web Start control launchapp ActiveX clsid access
      2  BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt
      2  BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX clsid access attempt
      6  BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt
      2  BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access
      2  BROWSER-PLUGINS PPMate PPMPlayer.dll ActiveX clsid access
      2  BROWSER-PLUGINS RealNetworks RealGames InstallerDlg.dll ActiveX clsid access
      2  BROWSER-PLUGINS RealNetworks RealGames InstallerDlg.dll ActiveX function call access
      2  BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt
      2  BROWSER-PLUGINS RealNetworks RealPlayer Ierpplug.dll ActiveX function call access
      2  BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL ActiveX function call access
      4  BROWSER-PLUGINS SafeNet ActiveX clsid access
      4  BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt
      2  BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash ActiveX clsid access
      2  BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash ActiveX function call access
      2  BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt
      2  BROWSER-PLUGINS SigPlus Pro ActiveX clsid access
      2  BROWSER-PLUGINS SonicWall Aventail EPInstaller ActiveX clsid access
      2  BROWSER-PLUGINS SonicWall Aventail EPInstaller ActiveX function call access
      3  BROWSER-PLUGINS Symantec Norton Antivirus ActiveX clsid access
      5  BROWSER-PLUGINS Teechart Professional ActiveX clsid access
      2  BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access
      4  BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX clsid access
      2  BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access
      2  BROWSER-PLUGINS Trend Micro HouseCall ActiveX clsid access
      2  BROWSER-PLUGINS Trend Micro HouseCall ActiveX function call access
      3  BROWSER-PLUGINS Trend Micro Web Deployment ActiveX clsid access
      2  BROWSER-PLUGINS Ultra Shareware Office Control ActiveX clsid access
      2  BROWSER-PLUGINS Ultra Shareware Office Control ActiveX function call access
     24  BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt
      2  BROWSER-PLUGINS Viscom Software Image Viewer ActiveX function call access
      4  BROWSER-PLUGINS VMWare Remote Console format string code execution attempt
      2  BROWSER-PLUGINS Yahoo Music Jukebox ActiveX exploit
      2  BROWSER-WEBKIT Apple Safari SVG Markers Memory Use-After-Free attempt
      2  BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt
      2  BROWSER-WEBKIT Apple Safari Webkit CSS Charset Text transformation code execution attempt
      4  BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt
      3  BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt
      2  BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt
      2  BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt
      2  BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt
      2  BROWSER-WEBKIT Apple Safari Webkit SVG memory corruption attempt
      2  CONTENT-REPLACE QQ 2009 deny tcp login
      2  DNS Multiple vendor DNS message decompression denial of service attempt
      5  EXPLOIT-KIT Blackhole exploit kit landing page
      3  EXPLOIT-KIT Blackhole exploit kit landing page download attempt
      4  EXPLOIT-KIT Blackhole exploit kit landing page retrieval
      5  EXPLOIT-KIT Blackhole exploit kit landing page - specific structure
      2  EXPLOIT-KIT Blackhole exploit kit landing page with specific header
      2  EXPLOIT-KIT Blackhole exploit kit landing page with specific structure
      3  EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch
      3  EXPLOIT-KIT Blackhole redirection attempt
      2  EXPLOIT-KIT Blackhole suspected landing page
      2  EXPLOIT-KIT Blackholev2/Cool exploit kit landing page
      2  EXPLOIT-KIT Blackholev2 exploit kit landing page
      2  EXPLOIT-KIT Blackholev2 exploit kit landing page
      2  EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt
      3  EXPLOIT-KIT Blackholev2 exploit kit landing page in an email
      2  EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure
      3  EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure
      2  EXPLOIT-KIT Blackholev2 exploit kit malicious jar download
      2  EXPLOIT-KIT Blackholev2 exploit kit redirection injection
      2  EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure
      3  EXPLOIT-KIT Blackholev2 exploit kit redirection successful
      8  EXPLOIT-KIT Bleeding Life exploit kit module call
      2  EXPLOIT-KIT Cool exploit kit 32-bit font file download
      2  EXPLOIT-KIT Cool exploit kit 64-bit font file download
     10  EXPLOIT-KIT Cool exploit kit EOT file download
      9  EXPLOIT-KIT Cool exploit kit java exploit retrieval
      4  EXPLOIT-KIT Cool exploit kit landing page
      4  EXPLOIT-KIT Cool exploit kit landing page - specific structure
     12  EXPLOIT-KIT Cool exploit kit malicious class file download
      3  EXPLOIT-KIT Cool exploit kit malicious jar file download
      2  EXPLOIT-KIT Cool exploit kit outbound request
      3  EXPLOIT-KIT Cool exploit kit PDF exploit
      2  EXPLOIT-KIT Cool exploit kit - PDF Exploit
      4  EXPLOIT-KIT Cool exploit kit pdf exploit retrieval
      2  EXPLOIT-KIT Cool exploit kit Portable Executable download
      2  EXPLOIT-KIT Cool exploit kit redirection page
      3  EXPLOIT-KIT Cool exploit kit SWF file download
      3  EXPLOIT-KIT Crimeboss exploit kit - Java exploit download
      3  EXPLOIT-KIT Crimeboss exploit kit outbound connection
      3  EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt
      2  EXPLOIT-KIT Crimeboss exploit kit redirection attempt
      2  EXPLOIT-KIT DotCachef/DotCache exploit kit inbound java exploit download
      2  EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt
      2  EXPLOIT-KIT Egypack exploit kit landing page
      7  EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator
      2  EXPLOIT-KIT Gong Da exploit kit Java exploit requested
      2  EXPLOIT-KIT Impact/Stamp exploit kit landing page
      2  EXPLOIT-KIT JDB exploit kit landing page
      4  EXPLOIT-KIT KaiXin exploit kit attack vector attempt
      2  EXPLOIT-KIT Kore exploit kit landing page
      4  EXPLOIT-KIT Multiple exploit kit Class download attempt
      3  EXPLOIT-KIT Multiple exploit kit jar file retrieved on non-standard port
      2  EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll
      2  EXPLOIT-KIT Neutrino exploit kit Java archive transfer
      2  EXPLOIT-KIT Neutrino exploit kit landing page
      2  EXPLOIT-KIT Neutrino exploit kit landing page
      2  EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt
      2  EXPLOIT-KIT Neutrino exploit kit outbound request format
      2  EXPLOIT-KIT Neutrino exploit kit redirection page
      2  EXPLOIT-KIT Nuclear exploit kit landing page
      3  EXPLOIT-KIT Private exploit kit landing page
      6  EXPLOIT-KIT Redkit exploit kit landing page
      3  EXPLOIT-KIT Redkit exploit kit landing page redirection
      2  EXPLOIT-KIT Styx exploit kit landing page
      4  EXPLOIT-KIT Sweet Orange exploit kit landing page
      4  EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure
      2  EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player
      6  EXPLOIT-KIT Teletubbies exploit kit payload download
      2  EXPLOIT-KIT Teletubbies exploit kit secondary payload
      2  EXPLOIT-KIT X2O exploit kit landing page
      7  EXPLOIT Microsoft win32k.sys escalation of privilege attempt
      2  EXPLOIT Oracle Reports Servlet information disclosure attempt
      2  FILE-EXECUTABLE ClamAV UPX File Handling Heap overflow attempt
      2  FILE-EXECUTABLE download of executable content
      2  FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt
      2  FILE-EXECUTABLE Microsoft .NET blacklisted method reflection sandbox bypass attempt
      6  FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt
      2  FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt
      2  FILE-EXECUTABLE Microsoft Windows .NET invalid parsing of graphics data attempt
      2  FILE-EXECUTABLE Microsoft Windows Vista Windows mail file execution attempt
      5  FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt
      2  FILE-FLASH Action InitArray stack overflow attempt
      2  FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt
      2  FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt
      2  FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt
      2  FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt
      2  FILE-FLASH Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt
      2  FILE-FLASH Adobe Actionscript Stage3D null dereference attempt
      7  FILE-FLASH Adobe Flash ActionScript float index array memory corruption
      3  FILE-FLASH Adobe Flash ActionScript float index array memory corruption attempt
      2  FILE-FLASH Adobe Flash ActionScript user-supplied PCM resampling integer overflow attempt
      2  FILE-FLASH Adobe Flash file DefineFont4 remote code execution attempt
      2  FILE-FLASH Adobe Flash malformed record stack exhaustion attempt
      4  FILE-FLASH Adobe Flash malformed regular expression exploit attempt
      3  FILE-FLASH Adobe Flash malformed RTMP response attempt
      2  FILE-FLASH Adobe Flash MP4 ref_frame allocated buffer overflow attempt
      4  FILE-FLASH Adobe Flash null reference JIT compilation attempt
      2  FILE-FLASH Adobe Flash OpenType font memory corruption attempt
      5  FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt
      3  FILE-FLASH Adobe Flash Player action script 3 bitmap malicious rectangle attempt
      2  FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt
      2  FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt
      4  FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt
      4  FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt
      2  FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar
      2  FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar
      2  FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls
      8  FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt
      4  FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt
      2  FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt
      2  FILE-FLASH Adobe Flash Player cross-site request forgery attempt
      2  FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt
      2  FILE-FLASH Adobe Flash Player DRM encrypted file detected

[s-takehana]

Also you should compare each ref_tag from both sid-msg.map file not just suricata.

awk -F '[||]' '{ print $3 }' /pathto/snort/sid-msg.map | sort | uniq > uniq_sid-msg.map
awk -F '[||]' '{ print $3 }' /pathto/suricata/rules/sid-msg.map | sort | uniq >> uniq_sid-msg.map
cat uniq_sid-msg.map | sort | uniq -dc
(nothing)

[binf]

Can you attach both of your sid-msg.map file and name them snort-sid-msg.map and suri-sid-msg.map? I will try to replicate.

On Thu, Nov 7, 2013 at 12:20 AM, s-takehana notifications@github.comwrote:

VRT sid-msg.map(Because this is big, I extract)

awk -F '[||]' '{ print $3 }' /pathto/snort/sid-msg.map | sort | uniq -dc 2 APP-DETECT Dropbox desktop software in use 2 APP-DETECT Dynamic Internet Technology Freegate application executable download attempt 2 APP-DETECT Dynamic Internet Technology Freegate application zip download attempt 3 APP-DETECT Teamviewer remote connection attempt 2 APP-DETECT Thunder p2p application activity detection 2 BLACKLIST DNS request for known malware domain aar.bigdepression.net 2 BLACKLIST DNS request for known malware domain bah001.blackcake.net 2 BLACKLIST DNS request for known malware domain caci2.infosupports.com 2 BLACKLIST DNS request for known malware domain catalog.earthsolution.org 2 BLACKLIST DNS request for known malware domain doa.bigdepression.net 2 BLACKLIST DNS request for known malware domain epod.businessconsults.net 2 BLACKLIST DNS request for known malware domain ghma.earthsolution.org 2 BLACKLIST DNS request for known malware domain hapyy2010.lflinkup.net 2 BLACKLIST DNS request for known malware domain hav.earthsolution.org 2 BLACKLIST DNS request for known malware domain info.businessconsults.net 2 BLACKLIST DNS request for known malware domain inter.earthsolution.org 2 BLACKLIST DNS request for known malware domain java.earthsolution.org 2 BLACKLIST DNS request for known malware domain leets.hugesoft.org 2 BLACKLIST DNS request for known malware domain lucy2.businessconsults.net 2 BLACKLIST DNS request for known malware domain lucy2.infosupports.com 2 BLACKLIST DNS request for known malware domain lucy.blackcake.net 2 BLACKLIST DNS request for known malware domain lucy.businessconsults.net 2 BLACKLIST DNS request for known malware domain mantech.blackcake.net 2 BLACKLIST DNS request for known malware domain news.businessconsults.net 2 BLACKLIST DNS request for known malware domain ou2.infosupports.com 2 BLACKLIST DNS request for known malware domain ou3.infosupports.com 2 BLACKLIST DNS request for known malware domain ou7.infosupports.com 2 BLACKLIST DNS request for known malware domain pop.businessconsults.net 2 BLACKLIST DNS request for known malware domain pop.dnsweb.org 2 BLACKLIST DNS request for known malware domain qiao1.bigdepression.net 2 BLACKLIST DNS request for known malware domain qiao2.bigdepression.net 2 BLACKLIST DNS request for known malware domain qiao3.bigdepression.net 2 BLACKLIST DNS request for known malware domain qiao4.bigdepression.net 2 BLACKLIST DNS request for known malware domain qiao5.bigdepression.net 2 BLACKLIST DNS request for known malware domain qiao6.bigdepression.net 2 BLACKLIST DNS request for known malware domain quick.earthsolution.org 2 BLACKLIST DNS request for known malware domain quiet.earthsolution.org 2 BLACKLIST DNS request for known malware domain rouji.freespirit.acmetoy.com 2 BLACKLIST DNS request for known malware domain slnoa.newsonet.net 2 BLACKLIST DNS request for known malware domain sos.businessconsults.net 2 BLACKLIST DNS request for known malware domain sports.businessconsults.net 2 BLACKLIST DNS request for known malware domain srs.infosupports.com 2 BLACKLIST DNS request for known malware domain ssa.businessconsults.net 2 BLACKLIST DNS request for known malware domain sys.businessconsults.net 2 BLACKLIST DNS request for known malware domain trb.arrowservice.net 2 BLACKLIST DNS request for known malware domain visual.earthsolution.org 2 BLACKLIST DNS request for known malware domain vop.earthsolution.org 2 BLACKLIST DNS request for known malware domain vope.purpledaily.com 2 BLACKLIST DNS request for known malware domain www2.wikaba.com 2 BLACKLIST DNS request for known malware domain yang1.infosupports.com 2 BLACKLIST DNS request for known malware domain yang2.infosupports.com 2 BLACKLIST User-Agent known malicious user-agent string GPRecover 2 BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent 2 BROWSER-CHROME Google Chrome Uninitialized bug_report Pointer Code Execution 2 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt 4 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow 3 BROWSER-FIREFOX Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt 2 BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt 2 BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt 2 BROWSER-FIREFOX Mozilla Firefox Animated PNG Processing integer overflow attempt 4 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt 2 BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt 2 BROWSER-FIREFOX Mozilla Firefox Chrome Page Loading Restriction Bypass attempt 2 BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt 2 BROWSER-FIREFOX Mozilla Firefox defineSetter function pointer memory corruption attempt 4 BROWSER-FIREFOX Mozilla Firefox domain name handling buffer overflow attempt 2 BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt 2 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption 6 BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt 2 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt 2 BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution 4 BROWSER-FIREFOX Mozilla Firefox Javascript arbitrary memory reading attempt 2 BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt 2 BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt 2 BROWSER-FIREFOX Mozilla Firefox Javascript Engine Information Disclosure attempt 2 BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt 2 BROWSER-FIREFOX Mozilla Firefox tag order memory corruption attempt 2 BROWSER-FIREFOX Mozilla Multiple Products MozOrientation loading attempt 2 BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt 2 BROWSER-FIREFOX Mozilla Multiple Products xdomain object information disclosure attempt 2 BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt 2 BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt 2 BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt 2 BROWSER-FIREFOX Mozilla Thunderbird / SeaMonkey Content-Type header buffer overflow attempt 2 BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt 2 BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt 2 BROWSER-IE Microsoft Internet Explorer 6 usp10.dll Bengali font stack overrun attempt 2 BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt 4 BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt 2 BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt 2 BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt 2 BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt 4 BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt 2 BROWSER-IE Microsoft Internet Explorer 9 null character in string information disclosure attempt 2 BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt 8 BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt 2 BROWSER-IE Microsoft Internet Explorer 9 style properties use after free attempt 2 BROWSER-IE Microsoft Internet Explorer 9 table th element use after free attempt 2 BROWSER-IE Microsoft Internet Explorer 9 use after free attempt 2 BROWSER-IE Microsoft Internet Explorer AddOption use after free attempt 2 BROWSER-IE Microsoft Internet Explorer asynchronous code execution attempt 2 BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt 2 BROWSER-IE Microsoft Internet Explorer button object use after free memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer CDisplayPointer use after free attempt 4 BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt 2 BROWSER-IE Microsoft Internet Explorer CElement use-after-free attempt 11 BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt 2 BROWSER-IE Microsoft Internet Explorer CHTMLEditor use after free attempt 2 BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt 2 BROWSER-IE Microsoft Internet Explorer compatibility mode invalid memory access attempt 10 BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt 2 BROWSER-IE Microsoft Internet Explorer covered object memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer CPhraseElement use after free attempt 2 BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt 6 BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt 3 BROWSER-IE Microsoft Internet Explorer cross domain information disclosure attempt 2 BROWSER-IE Microsoft Internet Explorer CSS import cross-domain restriction bypass attempt 2 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt 2 BROWSER-IE Microsoft Internet Explorer CSS memory corruption attempt 4 BROWSER-IE Microsoft Internet Explorer CSS style memory corruption attempt 4 BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt 2 BROWSER-IE Microsoft Internet Explorer CTreePos use after free memory corruption attempt 4 BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt 2 BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt 12 BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt 2 BROWSER-IE Microsoft Internet Explorer display node use after free attempt 5 BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer DOM object cache management memory corruption attempt 6 BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt 2 BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt 2 BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt 2 BROWSER-IE Microsoft Internet Explorer hgroup element DOM reset use after free attempt 2 BROWSER-IE Microsoft Internet Explorer htc file use after free attempt 3 BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt 3 BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt 2 BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt 3 BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt 5 BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer iframe execCommand use after free attempt 2 BROWSER-IE Microsoft Internet Explorer iframe use after free attempt 3 BROWSER-IE Microsoft Internet Explorer image download spoofing attempt 3 BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt 2 BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt 3 BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer invalid Shift_JIS character xss attempt 2 BROWSER-IE Microsoft Internet Explorer javascript apply method type confusion attempt 2 BROWSER-IE Microsoft Internet Explorer javascript call method type confusion attempt 2 BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt 8 BROWSER-IE Microsoft Internet Explorer layout-grid-char value exploit attempt 2 BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt 2 BROWSER-IE Microsoft Internet Explorer malformed table tag memory corruption attempt 3 BROWSER-IE Microsoft Internet Explorer Marquee stylesheet object removal 2 BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt 2 BROWSER-IE Microsoft Internet Explorer MsgBox arbitrary code execution attempt 2 BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt 2 BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt 5 BROWSER-IE Microsoft Internet Explorer null object access attempt 2 BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer object management memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer onscroll DOS attempt 6 BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt 2 BROWSER-IE Microsoft Internet Explorer orphan DOM objects memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer range markup switch use after free attempt 2 BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt 4 BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt 5 BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt 3 BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt 2 BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt 4 BROWSER-IE Microsoft Internet Explorer sign extension vulnerability exploitation attempt 4 BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer static text range overflow attempt 2 BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt 2 BROWSER-IE Microsoft Internet Explorer telnet.exe file load exploit attempt 2 BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt 7 BROWSER-IE Microsoft Internet Explorer use after free attempt 6 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt 2 BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt 2 BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt 3 BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt 2 BROWSER-IE Microsoft Internet Explorer XML digital signature transformation of digest value 2 BROWSER-IE Microsoft multiple product toStaticHTML XSS attempt 2 BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt 2 BROWSER-IE Microsoft Windows Vector Markup Language imagedata page deconstruction attempt 2 BROWSER-OTHER HTML5 canvas element heap spray attempt 2 BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt 2 BROWSER-OTHER Opera file URI handling buffer overflow 2 BROWSER-OTHER Opera use after free attempt 2 BROWSER-PLUGINS AcroPDF.PDF ActiveX clsid access 2 BROWSER-PLUGINS AcroPDF.PDF ActiveX function call access 2 BROWSER-PLUGINS AdminStudio and InstallShield ActiveX clsid access attempt 2 BROWSER-PLUGINS AdminStudio and InstallShield ActiveX function call access attempt 2 BROWSER-PLUGINS AOL Radio AmpX ActiveX clsid access 2 BROWSER-PLUGINS Apple Quicktime plugin SetLanguage buffer overflow attempt 2 BROWSER-PLUGINS ASUS Net4Switch ipswcom.dll ActiveX clsid access 2 BROWSER-PLUGINS ASUS Net4Switch ipswcom.dll ActiveX function call access 2 BROWSER-PLUGINS Autodesk iDrop ActiveX clsid access 3 BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX clsid access 3 BROWSER-PLUGINS Bennet-Tec TList saveData arbitrary file creation ActiveX function call access 2 BROWSER-PLUGINS Black Ice Barcode SDK ActiveX clsid access 2 BROWSER-PLUGINS Black Ice Barcode SDK ActiveX function call access 4 BROWSER-PLUGINS Chilkat Socket ActiveX clsid access 2 BROWSER-PLUGINS Cisco AnyConnect ActiveX clsid access 2 BROWSER-PLUGINS Cisco Linksys PlayerPT ActiveX clsid access attempt 2 BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX clsid access 2 BROWSER-PLUGINS Cisco WebEx Meeting Manager atucfobj ActiveX function call access 2 BROWSER-PLUGINS Citrix Access Gateway plug-in ActiveX code execution attempt 2 BROWSER-PLUGINS ClearQuest session stack corruption attempt 2 BROWSER-PLUGINS Computer Associates gui_cm_ctrls ActiveX clsid access 5 BROWSER-PLUGINS DigWebX MSN ActiveX object access 2 BROWSER-PLUGINS EasyMail Objects Activex remote buffer overflow attempt 2 BROWSER-PLUGINS EMC ApplicationXtender Desktop ActiveX function call attempt 2 BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX clsid access attempt 2 BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt 4 BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt 8 BROWSER-PLUGINS HP Easy Printer Care Software ActiveX clsid access 2 BROWSER-PLUGINS HP Easy Printer Care Software ActiveX function call access 4 BROWSER-PLUGINS HP LoadRunner WriteFileString ActiveX function call attempt 7 BROWSER-PLUGINS HP Photo Creative ActiveX clsid access 2 BROWSER-PLUGINS Husdawg System Requirements Lab Control ActiveX clsid access 2 BROWSER-PLUGINS IBM Lotus iNotes buffer overflow ActiveX clsid access 2 BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow attempt 2 BROWSER-PLUGINS IBM Lotus SameTime STJNILoader ActiveX clsid access attempt 2 BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access 2 BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access 2 BROWSER-PLUGINS IBM VsVIEW ActiveX control directory traversal attempt 2 BROWSER-PLUGINS Icona SpA C6 Messenger Downloader ActiveX clsid access 2 BROWSER-PLUGINS ICONICS WebHMI ActiveX clsid access attempt 2 BROWSER-PLUGINS iseemedia LPViewer ActiveX clsid access 2 BROWSER-PLUGINS iseemedia LPViewer ActiveX function call access 2 BROWSER-PLUGINS Java Applet sql.DriverManager exploit attempt 2 BROWSER-PLUGINS Java Applet sql.DriverManager fakedriver exploit attempt 4 BROWSER-PLUGINS Java security warning bypass through JWS attempt 2 BROWSER-PLUGINS Kodak Image Editing ActiveX object access 2 BROWSER-PLUGINS McAfee Security as a Service ActiveX clsid access attempt 2 BROWSER-PLUGINS McAfee Security as a Service ActiveX function call attempt 2 BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX clsid attempt 2 BROWSER-PLUGINS McAfee Virtual Technician Security Bypass ActiveX function call attempt 6 BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access 4 BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access 6 BROWSER-PLUGINS Microsoft dpnet.dll DirectPlay ActiveX clsid access 2 BROWSER-PLUGINS Microsoft Internet Explorer Active Setup ActiveX object access 2 BROWSER-PLUGINS Microsoft Internet Explorer Blnmgrps.dll ActiveX object access 3 BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt 24 BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt 2 BROWSER-PLUGINS Microsoft Internet Explorer Time DATIME.DLL ActiveX clsid access 2 BROWSER-PLUGINS Microsoft Rich TextBox ActiveX clsid access 2 BROWSER-PLUGINS Microsoft Silverlight inheritance restriction bypass 2 BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX clsid access 2 BROWSER-PLUGINS Microsoft Visual Studio Msmask32 ActiveX function call access 2 BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access 2 BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt 2 BROWSER-PLUGINS Microsoft Windows Media Services CallHTMLHelp ActiveX buffer overflow attempt 2 BROWSER-PLUGINS Microsoft Windows MsnPUpld ActiveX object access 11 BROWSER-PLUGINS Microsoft Windows RDP ActiveX component mstscax use after free attempt 2 BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access 2 BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access 2 BROWSER-PLUGINS Microsoft Windows Terminal Services Advanced Client ActiveX object access 2 BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access 2 BROWSER-PLUGINS Novell iPrint ActiveX clsid access 2 BROWSER-PLUGINS Novell iPrint ActiveX function call access 2 BROWSER-PLUGINS Oracle AutoVue ActiveX control directory traversal attempt 2 BROWSER-PLUGINS Oracle Document Capture ActiveX function call access 2 BROWSER-PLUGINS Oracle Java Web Start control launchapp ActiveX clsid access 2 BROWSER-PLUGINS Oracle JRE Deployment Toolkit ActiveX clsid access attempt 2 BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX clsid access attempt 6 BROWSER-PLUGINS Oracle SetMarkupMode buffer overflow ActiveX function call access attempt 2 BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access 2 BROWSER-PLUGINS PPMate PPMPlayer.dll ActiveX clsid access 2 BROWSER-PLUGINS RealNetworks RealGames InstallerDlg.dll ActiveX clsid access 2 BROWSER-PLUGINS RealNetworks RealGames InstallerDlg.dll ActiveX function call access 2 BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt 2 BROWSER-PLUGINS RealNetworks RealPlayer Ierpplug.dll ActiveX function call access 2 BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL ActiveX function call access 4 BROWSER-PLUGINS SafeNet ActiveX clsid access 4 BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt 2 BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash ActiveX clsid access 2 BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash ActiveX function call access 2 BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt 2 BROWSER-PLUGINS SigPlus Pro ActiveX clsid access 2 BROWSER-PLUGINS SonicWall Aventail EPInstaller ActiveX clsid access 2 BROWSER-PLUGINS SonicWall Aventail EPInstaller ActiveX function call access 3 BROWSER-PLUGINS Symantec Norton Antivirus ActiveX clsid access 5 BROWSER-PLUGINS Teechart Professional ActiveX clsid access 2 BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access 4 BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX clsid access 2 BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access 2 BROWSER-PLUGINS Trend Micro HouseCall ActiveX clsid access 2 BROWSER-PLUGINS Trend Micro HouseCall ActiveX function call access 3 BROWSER-PLUGINS Trend Micro Web Deployment ActiveX clsid access 2 BROWSER-PLUGINS Ultra Shareware Office Control ActiveX clsid access 2 BROWSER-PLUGINS Ultra Shareware Office Control ActiveX function call access 24 BROWSER-PLUGINS Veritas Storage Exec ActiveX clsid access attempt 2 BROWSER-PLUGINS Viscom Software Image Viewer ActiveX function call access 4 BROWSER-PLUGINS VMWare Remote Console format string code execution attempt 2 BROWSER-PLUGINS Yahoo Music Jukebox ActiveX exploit 2 BROWSER-WEBKIT Apple Safari SVG Markers Memory Use-After-Free attempt 2 BROWSER-WEBKIT Apple Safari Webkit attribute child removal code execution attempt 2 BROWSER-WEBKIT Apple Safari Webkit CSS Charset Text transformation code execution attempt 4 BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt 3 BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt 2 BROWSER-WEBKIT Apple Safari Webkit libxslt arbitrary file creation attempt 2 BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt 2 BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt 2 BROWSER-WEBKIT Apple Safari Webkit SVG memory corruption attempt 2 CONTENT-REPLACE QQ 2009 deny tcp login 2 DNS Multiple vendor DNS message decompression denial of service attempt 5 EXPLOIT-KIT Blackhole exploit kit landing page 3 EXPLOIT-KIT Blackhole exploit kit landing page download attempt 4 EXPLOIT-KIT Blackhole exploit kit landing page retrieval 5 EXPLOIT-KIT Blackhole exploit kit landing page - specific structure 2 EXPLOIT-KIT Blackhole exploit kit landing page with specific header 2 EXPLOIT-KIT Blackhole exploit kit landing page with specific structure 3 EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch 3 EXPLOIT-KIT Blackhole redirection attempt 2 EXPLOIT-KIT Blackhole suspected landing page 2 EXPLOIT-KIT Blackholev2/Cool exploit kit landing page 2 EXPLOIT-KIT Blackholev2 exploit kit landing page 2 EXPLOIT-KIT Blackholev2 exploit kit landing page 2 EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt 3 EXPLOIT-KIT Blackholev2 exploit kit landing page in an email 2 EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure 3 EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure 2 EXPLOIT-KIT Blackholev2 exploit kit malicious jar download 2 EXPLOIT-KIT Blackholev2 exploit kit redirection injection 2 EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure 3 EXPLOIT-KIT Blackholev2 exploit kit redirection successful 8 EXPLOIT-KIT Bleeding Life exploit kit module call 2 EXPLOIT-KIT Cool exploit kit 32-bit font file download 2 EXPLOIT-KIT Cool exploit kit 64-bit font file download 10 EXPLOIT-KIT Cool exploit kit EOT file download 9 EXPLOIT-KIT Cool exploit kit java exploit retrieval 4 EXPLOIT-KIT Cool exploit kit landing page 4 EXPLOIT-KIT Cool exploit kit landing page - specific structure 12 EXPLOIT-KIT Cool exploit kit malicious class file download 3 EXPLOIT-KIT Cool exploit kit malicious jar file download 2 EXPLOIT-KIT Cool exploit kit outbound request 3 EXPLOIT-KIT Cool exploit kit PDF exploit 2 EXPLOIT-KIT Cool exploit kit - PDF Exploit 4 EXPLOIT-KIT Cool exploit kit pdf exploit retrieval 2 EXPLOIT-KIT Cool exploit kit Portable Executable download 2 EXPLOIT-KIT Cool exploit kit redirection page 3 EXPLOIT-KIT Cool exploit kit SWF file download 3 EXPLOIT-KIT Crimeboss exploit kit - Java exploit download 3 EXPLOIT-KIT Crimeboss exploit kit outbound connection 3 EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt 2 EXPLOIT-KIT Crimeboss exploit kit redirection attempt 2 EXPLOIT-KIT DotCachef/DotCache exploit kit inbound java exploit download 2 EXPLOIT-KIT DotCachef/DotCache exploit kit Zeroaccess download attempt 2 EXPLOIT-KIT Egypack exploit kit landing page 7 EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator 2 EXPLOIT-KIT Gong Da exploit kit Java exploit requested 2 EXPLOIT-KIT Impact/Stamp exploit kit landing page 2 EXPLOIT-KIT JDB exploit kit landing page 4 EXPLOIT-KIT KaiXin exploit kit attack vector attempt 2 EXPLOIT-KIT Kore exploit kit landing page 4 EXPLOIT-KIT Multiple exploit kit Class download attempt 3 EXPLOIT-KIT Multiple exploit kit jar file retrieved on non-standard port 2 EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll 2 EXPLOIT-KIT Neutrino exploit kit Java archive transfer 2 EXPLOIT-KIT Neutrino exploit kit landing page 2 EXPLOIT-KIT Neutrino exploit kit landing page 2 EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt 2 EXPLOIT-KIT Neutrino exploit kit outbound request format 2 EXPLOIT-KIT Neutrino exploit kit redirection page 2 EXPLOIT-KIT Nuclear exploit kit landing page 3 EXPLOIT-KIT Private exploit kit landing page 6 EXPLOIT-KIT Redkit exploit kit landing page 3 EXPLOIT-KIT Redkit exploit kit landing page redirection 2 EXPLOIT-KIT Styx exploit kit landing page 4 EXPLOIT-KIT Sweet Orange exploit kit landing page 4 EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure 2 EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player 6 EXPLOIT-KIT Teletubbies exploit kit payload download 2 EXPLOIT-KIT Teletubbies exploit kit secondary payload 2 EXPLOIT-KIT X2O exploit kit landing page 7 EXPLOIT Microsoft win32k.sys escalation of privilege attempt 2 EXPLOIT Oracle Reports Servlet information disclosure attempt 2 FILE-EXECUTABLE ClamAV UPX File Handling Heap overflow attempt 2 FILE-EXECUTABLE download of executable content 2 FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt 2 FILE-EXECUTABLE Microsoft .NET blacklisted method reflection sandbox bypass attempt 6 FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt 2 FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt 2 FILE-EXECUTABLE Microsoft Windows .NET invalid parsing of graphics data attempt 2 FILE-EXECUTABLE Microsoft Windows Vista Windows mail file execution attempt 5 FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt 2 FILE-FLASH Action InitArray stack overflow attempt 2 FILE-FLASH Adobe Acrobat Flash Player atl.dll dll-load exploit attempt 2 FILE-FLASH Adobe Acrobat Flash Player nvapi.dll dll-load exploit attempt 2 FILE-FLASH Adobe Acrobat Flash Player uxtheme.dll dll-load exploit attempt 2 FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt 2 FILE-FLASH Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt 2 FILE-FLASH Adobe Actionscript Stage3D null dereference attempt 7 FILE-FLASH Adobe Flash ActionScript float index array memory corruption 3 FILE-FLASH Adobe Flash ActionScript float index array memory corruption attempt 2 FILE-FLASH Adobe Flash ActionScript user-supplied PCM resampling integer overflow attempt 2 FILE-FLASH Adobe Flash file DefineFont4 remote code execution attempt 2 FILE-FLASH Adobe Flash malformed record stack exhaustion attempt 4 FILE-FLASH Adobe Flash malformed regular expression exploit attempt 3 FILE-FLASH Adobe Flash malformed RTMP response attempt 2 FILE-FLASH Adobe Flash MP4 ref_frame allocated buffer overflow attempt 4 FILE-FLASH Adobe Flash null reference JIT compilation attempt 2 FILE-FLASH Adobe Flash OpenType font memory corruption attempt 5 FILE-FLASH Adobe Flash Player Action InitArray stack overflow attempt 3 FILE-FLASH Adobe Flash Player action script 3 bitmap malicious rectangle attempt 2 FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt 2 FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt 4 FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt 4 FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt 2 FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar 2 FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar 2 FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls 8 FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt 4 FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt 2 FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt 2 FILE-FLASH Adobe Flash Player cross-site request forgery attempt 2 FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt 2 FILE-FLASH Adobe Flash Player DRM encrypted file detected

— Reply to this email directly or view it on GitHubhttps://github.com/firnsy/barnyard2/issues/102#issuecomment-27938534 .

[s-takehana]

Eric, can you see this messages? Did you delete your github account?

[s-takehana]

My account was suspended. I close this issue. Thank you.