[Snort-sigs] First attempt at writing a sig

Andreas Östling andreaso at ...58...
Mon Dec 20 00:43:01 EST 2004


There is also a script in the contrib directory included in the Oinkmaster 
tarball, create-sidmap.pl, that does this. It handles multiple rules 
directories and multi-line rules etc. http://oinkmaster.sourceforge.net/

/Andreas

On Monday 20 December 2004 08:10, Russell Fulton wrote:
> On Fri, 2004-12-17 at 14:03 -0600, Lance Boon wrote:
> > The only
> > thing that is bugging me and I'm sure that it's something that I'm
> > missing is that when an alert hits it doesn't read "Netop Remote Control
> > Usage" on the acid page it just says [snort] Snort Alert [1:2000000:0]
>
> You need to add an entry for the rule into the sig-msg.map file (I don't
> think I have the name right -- it has the sid and message for every
> rule).  Acid just stores the sid and has a separate table for the actual
> messages.
>
> I recently wrote a short perl script that reads all the rule files in a
> directory and writes a message map file for barnyard because of exactly
> this problem.




More information about the Snort-sigs mailing list