[Snort-users] Unified output and multiple .map's.
andreaso at ...236...
Sun Mar 6 02:54:37 EST 2005
> Hi all,
> I was wondering how people using the unified output, the official Snort rules
> and the bleeding rules are handling their .map files?
> It requires the extra step of re-creating the sid-msg.map file after both
> sets of rules have been applied via Oinkmaster.
I'm sure there are several ways to do this but as seen in
under "Q26: How do I keep my sid-msg.map up-to-date?", I
personally prefer to use create-sidmap.pl to generate the map myself. I
would probably do so even if all the tools could handle multiple .map
files. A few reasons:
- I don't want to assume that the included sid-msg.map files in all
rules archives are updated correctly
- I have local rules and must generate a sid map anyway
- By running create-sidmap.pl you automatically get a sid dup check
across all the rules, including local ones. Concatenating several
sid-msg.map files without some basic sanity check could be bad.
- Generating a new map is a simple as running create-sidmap.pl and point
to all rules directories. Just make sure it's run after each rules
update and you'll never have to care about it again.
More information about the Snort-users