[Snort-users] How Can I display the rule name instead of the ID with ACID?

Joel Esler joel.esler at ...3027...
Mon May 12 15:49:06 EDT 2008


So, if by displaying just the sig-id in the signature field, instead  
of the name of the signature, this leads me to believe that you are  
using barnyard to read unified files and output their contents into  
the db.

What the problem is, is not a problem with base, acid, or even Snort.   
It's a misconfiguration in Barnyard.  You don't have your barnyard  
reading your correct sid-msg.map file.

Joel

On May 12, 2008, at 3:31 PM, Rachmat Hidayat Al-Anshar wrote:

> Yep, for a first step it will be great if you can
> just use BASE instead. Just hit this following link
> to download the latest version of BASE:
> http://optusnet.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gz
>
> There are two column named "signature" and "sig_name"
> on the "acid_event" table that contain the same value,
>
> signature ID (sig_id).
>
> In this case, what Berta really want is, how to
> display
> the signature description on "sig_name" field (not the
>
> signature ID), CMIIW.
>
> regard
> Matt
>
>
>
>
> --- Joel Esler <joel.esler at ...3027...> wrote:
>
>> First, you should switch to BASE
>> http://base.secureideas.net.  ACID
>> has been dead for at least 5 years.
>>
>> Second, do you mean that in the signature name field
>> you have a
>> number, and not the name of the alert?  Or are you
>> saying that you
>> want the description of the rule displayed
>> somewhere?
>>
>> Please clarify your statement so that we can make a
>> better helpful
>> suggestion.
>>
>> Joel
>>
>> On May 12, 2008, at 5:04 AM, Berta Alcala wrote:
>>
>>> I use snort+acid+mysql. When I display the alerts
>> there is a
>>> "Signature" column that is the signature ID.
>>> I need the "sig_name" field (which is the rule's
>> description)
>>> instead of the sig_id. The problem is in the
>> "acid_event" table,
>>> here there are "signature" and "sig_name", both
>> with the same value,
>>> the ID.
>>> How can I do to get the description? there are a
>> lot of files and I
>>> don't know which one I have to modify.
>>>
>>
> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by the 2008
>> JavaOne(SM) Conference
>>> Don't miss this year's exciting event. There's
>> still time to save
>>> $100.
>>> Use priority code J8TL2D2.
>>>
>>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or
>> unsubscribe:
>>>
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>>
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> --
>> Joel Esler
>>   joel.esler at ...3027...
>>   http://blog.joelesler.net
>> [m]
>>
>>
>>
>>
>>
> -------------------------------------------------------------------------
>> This SF.net email is sponsored by the 2008
>> JavaOne(SM) Conference
>> Don't miss this year's exciting event. There's still
>> time to save $100.
>> Use priority code J8TL2D2.
>>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or
>> unsubscribe:
>>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>       
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  joel.esler at ...3027...http://blog.joelesler.net
[m]







More information about the Snort-users mailing list