[Snort-users] How Can I display the rule name instead of the ID with ACID?

Berta Alcala berta83 at ...11827...
Tue May 13 05:11:59 EDT 2008


Thank you very much for your reply.
As Matt says, what I really want is, how to display the signature
description on "sig_name" field instead of the signature ID.
I don't use barnyard, nor BASE. So the first thing I'm going to do is
installing Base. Do I need to use barnyard?

Regards,
Berta

2008/5/12 Joel Esler <joel.esler at ...3027...>:

> So, if by displaying just the sig-id in the signature field, instead
> of the name of the signature, this leads me to believe that you are
> using barnyard to read unified files and output their contents into
> the db.
>
> What the problem is, is not a problem with base, acid, or even Snort.
> It's a misconfiguration in Barnyard.  You don't have your barnyard
> reading your correct sid-msg.map file.
>
> Joel
>
> On May 12, 2008, at 3:31 PM, Rachmat Hidayat Al-Anshar wrote:
>
> > Yep, for a first step it will be great if you can
> > just use BASE instead. Just hit this following link
> > to download the latest version of BASE:
> >
> http://optusnet.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gz
> >
> > There are two column named "signature" and "sig_name"
> > on the "acid_event" table that contain the same value,
> >
> > signature ID (sig_id).
> >
> > In this case, what Berta really want is, how to
> > display
> > the signature description on "sig_name" field (not the
> >
> > signature ID), CMIIW.
> >
> > regard
> > Matt
> >
> >
> >
> >
> > --- Joel Esler <joel.esler at ...3027...> wrote:
> >
> >> First, you should switch to BASE
> >> http://base.secureideas.net.  ACID
> >> has been dead for at least 5 years.
> >>
> >> Second, do you mean that in the signature name field
> >> you have a
> >> number, and not the name of the alert?  Or are you
> >> saying that you
> >> want the description of the rule displayed
> >> somewhere?
> >>
> >> Please clarify your statement so that we can make a
> >> better helpful
> >> suggestion.
> >>
> >> Joel
> >>
> >> On May 12, 2008, at 5:04 AM, Berta Alcala wrote:
> >>
> >>> I use snort+acid+mysql. When I display the alerts
> >> there is a
> >>> "Signature" column that is the signature ID.
> >>> I need the "sig_name" field (which is the rule's
> >> description)
> >>> instead of the sig_id. The problem is in the
> >> "acid_event" table,
> >>> here there are "signature" and "sig_name", both
> >> with the same value,
> >>> the ID.
> >>> How can I do to get the description? there are a
> >> lot of files and I
> >>> don't know which one I have to modify.
> >>>
> >>
> > -------------------------------------------------------------------------
> >>> This SF.net email is sponsored by the 2008
> >> JavaOne(SM) Conference
> >>> Don't miss this year's exciting event. There's
> >> still time to save
> >>> $100.
> >>> Use priority code J8TL2D2.
> >>>
> >>
> >
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or
> >> unsubscribe:
> >>>
> >>
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>>
> >>
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >> --
> >> Joel Esler
> >>   joel.esler at ...3027...
> >>   http://blog.joelesler.net
> >> [m]
> >>
> >>
> >>
> >>
> >>
> > -------------------------------------------------------------------------
> >> This SF.net email is sponsored by the 2008
> >> JavaOne(SM) Conference
> >> Don't miss this year's exciting event. There's still
> >> time to save $100.
> >> Use priority code J8TL2D2.
> >>
> >
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or
> >> unsubscribe:
> >>
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >>
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >
> ____________________________________________________________________________________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile.  Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Joel Esler
>joel.esler at ...3027...
>http://blog.joelesler.net
> [m]
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080513/0dda4438/attachment.html>


More information about the Snort-users mailing list