[Snort-users] Just FYI

James Hoagland hoagland at ...47...
Tue Mar 6 14:43:00 EST 2001


Hello all,

At 11:06 AM -0700 3/1/01, Jim Forster wrote:
>The new 'clean' ruleset is up and ready for download.  There have been some
>major changes to this set (many thanks to Brian Caswell) and it is a much
>cleaner, more accurate rulebase.

Thanks, Jim, for your efforts on this, I'm sure many people will find 
this update useful.

>2) Links to arachNIDS, CVE #'s, Bugtraq IDs, etc.. have been moved from the
>'MSG' field to the 'reference' field.  This will break SnortSnarf's HTML
>linking for the time being, but the Silicon Defense guys are aware of the
>changes and will be updating soon.

As a point of clarification, the effect of the new ruleset on 
SnortSnarf's output is minimal.  SnortSnarf since at least version 
031800.1 has had the feature that if the message part of an alert 
contained the text "IDSxxx", that SnortSnarf would include a link to 
the corresponding web page on arachNIDS.  With this new ruleset, 
IDSxxx is no longer present the message part of the alert (for 
reasons that I agree with).  The natural consequence of this is that 
with the new ruleset, the arachNIDS links will no longer be produced, 
so you will need to type in the URL manually.  To my knowledge, this 
is the only difference you will experience in using SnortSnarf with 
these new rules.

Silicon Defense does plan to put a new version of SnortSnarf out with 
the needed new features to get this type of external linking back to 
those users who use the new ruleset.  For now though, you can visit 
arachNIDS manually.  May we suggest using the -rules* options to 
include excerpts from your ruleset in the SnortSnarf output.  This 
way you can see what arachNIDS number to look for.

Kind regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|




More information about the Snort-users mailing list