[Snort-users] Unified output and multiple .map's.

Andreas Östling andreaso at ...236...
Sun Mar 6 02:54:37 EST 2005


> Hi all,
>
> I was wondering how people using the unified output, the official Snort rules 
> and the bleeding rules are handling their .map files?

> It requires the extra step of re-creating the sid-msg.map file after both 
> sets of rules have been applied via Oinkmaster.
...

I'm sure there are several ways to do this but as seen in 
http://cvs.sourceforge.net/viewcvs.py/oinkmaster/oinkmaster/FAQ?view=markup
under "Q26: How do I keep my sid-msg.map up-to-date?", I 
personally prefer to use create-sidmap.pl to generate the map myself. I 
would probably do so even if all the tools could handle multiple .map 
files. A few reasons:

- I don't want to assume that the included sid-msg.map files in all 
rules archives are updated correctly

- I have local rules and must generate a sid map anyway

- By running create-sidmap.pl you automatically get a sid dup check 
across all the rules, including local ones. Concatenating several 
sid-msg.map files without some basic sanity check could be bad.

- Generating a new map is a simple as running create-sidmap.pl and point 
to all rules directories. Just make sure it's run after each rules 
update and you'll never have to care about it again.

/Andreas




More information about the Snort-users mailing list