[Snort-sigs] First attempt at writing a sig

Russell Fulton r.fulton at ...575...
Sun Dec 19 23:11:01 EST 2004


On Fri, 2004-12-17 at 14:03 -0600, Lance Boon wrote:
> The only
> thing that is bugging me and I'm sure that it's something that I'm
> missing is that when an alert hits it doesn't read "Netop Remote Control
> Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0] 

You need to add an entry for the rule into the sig-msg.map file (I don't
think I have the name right -- it has the sid and message for every
rule).  Acid just stores the sid and has a separate table for the actual
messages.

I recently wrote a short perl script that reads all the rule files in a
directory and writes a message map file for barnyard because of exactly
this problem.
-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand





More information about the Snort-sigs mailing list