[Snort-users] Unified output and multiple .map's.

Chris Keladis chris at ...6400...
Fri Mar 4 17:35:45 EST 2005

Hi all,

I was wondering how people using the unified output, the official Snort 
rules and the bleeding rules are handling their .map files?

It seems it's a bit of a catch-22.

If you have multiple .map's, say, in their respective rule subdir, the 
spool pre-processor (Mudpit in this case) does not seem to like multiple 
.map files. In fact it defines them in the global {} section of the config.

Looking at Barnyard, it takes .map's on the command line and it seems to 
accept one set (gen, sid) per instance.

Concatenating the .map's into one big one works okay, but causes 
Oinkmaster confusion, when parsing the official rules it sees and 
removes the bleeding sid-msg.map entry's, and vice-versa.

It requires the extra step of re-creating the sid-msg.map file after 
both sets of rules have been applied via Oinkmaster.

The obvious solution to this is to have the unified pre-processors 
accept multiple .map files from different rule-sets.

Or is there another way to organize the rules whilst keeping Snort, the 
unified log pre-processor, and Oinkmaster happy?



More information about the Snort-users mailing list