[Snort-users] RE: WhiteHats Mirror

James Hoagland hoagland at ...47...
Fri Mar 1 09:17:19 EST 2002


At 9:32 AM -0500 3/1/02, Jeff Dell wrote:
>You need to point to the name www.activeworx.com not the ip, damn VH.
>Anyway, I don't know what you are using to lookup the alerts, but just
>change the reference for arachnids from www.whitehats.com/info to
>www.activeworx.com/info. If you want to change it within snort all
>together, just change the following line in sp_reference.h
>
>#define ARACHNIDS_URL_HEAD "http://www.whitehats.com/info/IDS"
>
>to
>
>#define ARACHNIDS_URL_HEAD "http://www.activeworx.com/info/IDS"
>
>Or where ever you have your database...
>
>Jeff

Hi all,

If you want SnortSnarf to use this new resource, you can edit 
SnortFileInput.pm.  Change the first occurrence of 'whitehats' to 
have SnortSnarf based on the 'arachnids' reference in Snort rules. 
If you have changed snort as indicated above (so that the Xref in the 
Snort alerts is changed), you probably want to change the second 
occurrence of 'whitehats' in the file as well.

Best regards,

   Jim
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list