[Snort-users] Just FYI
hoagland at ...47...
Tue Mar 6 14:43:00 EST 2001
At 11:06 AM -0700 3/1/01, Jim Forster wrote:
>The new 'clean' ruleset is up and ready for download. There have been some
>major changes to this set (many thanks to Brian Caswell) and it is a much
>cleaner, more accurate rulebase.
Thanks, Jim, for your efforts on this, I'm sure many people will find
this update useful.
>2) Links to arachNIDS, CVE #'s, Bugtraq IDs, etc.. have been moved from the
>'MSG' field to the 'reference' field. This will break SnortSnarf's HTML
>linking for the time being, but the Silicon Defense guys are aware of the
>changes and will be updating soon.
As a point of clarification, the effect of the new ruleset on
SnortSnarf's output is minimal. SnortSnarf since at least version
031800.1 has had the feature that if the message part of an alert
contained the text "IDSxxx", that SnortSnarf would include a link to
the corresponding web page on arachNIDS. With this new ruleset,
IDSxxx is no longer present the message part of the alert (for
reasons that I agree with). The natural consequence of this is that
with the new ruleset, the arachNIDS links will no longer be produced,
so you will need to type in the URL manually. To my knowledge, this
is the only difference you will experience in using SnortSnarf with
these new rules.
Silicon Defense does plan to put a new version of SnortSnarf out with
the needed new features to get this type of external linking back to
those users who use the new ruleset. For now though, you can visit
arachNIDS manually. May we suggest using the -rules* options to
include excerpts from your ruleset in the SnortSnarf output. This
way you can see what arachNIDS number to look for.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (707) 445-4222 *|
More information about the Snort-users