[Snort-sigs] snort snort don't recognize plugin sid set by me

Y M snort at ...3751...
Fri May 15 05:25:27 EDT 2015

Comments below.

Date: Fri, 15 May 2015 00:26:34 +0200
From: danilogo1991 at ...2420...
To: Snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] snort snort don't recognize plugin sid set by me

>I created a new rule for snort with the following sid:10001
It is recommended to use sids of value >= 1000000 as specified in the documentation: http://manual.snort.org/node31.html#SECTION00444000000000000000
>i recieve alerts trigered by this rule in OSSIM web interface but it appears as Generic event. When i open the event detail window i find the event type id is changed to 2000000000 and payload >contains [Unknown plugin sid: 10001].....
While I am not familiar with OSSIM, but in general when creating a new rules, its information - at minimum the sid and message - should be included in the sid-msg.map in order for it be recognized, i.e.: the message of the alert is displayed instead of some generic message, usually as "Snort Alert". The message "Generic Event" may be placed by OSSIM.

>Problem is that i can't differentiate between alerts triggered by rules created by me in a correlation directive.
>How can i set a proper name for the rule rather than Generic Event?
>How can i make the system to reconize event type set by me?

See my comments above.
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150515/216bebce/attachment.html>

More information about the Snort-sigs mailing list