[Snort-users] How Can I display the rule name instead of the ID with ACID?

Rachmat Hidayat Al-Anshar rachmat_hidayat_02 at ...131...
Tue May 13 07:45:11 EDT 2008


--- Berta Alcala <berta83 at ...11827...> wrote:

> I don't use barnyard, nor BASE. So the first thing
> I'm going to do is installing Base. Do I need to use

> barnyard?

It's getting more better if you using Barnyard to 
processing the unified file format produced by Snort. 

Snort's performance will increasing greatly because
Snort didn't need more effort to processing its output
directly to database. Let Barnyard take that job ;)
Snort will be more focused to monitoring the traffic.

And with BASE you will get more advantage instead 
still using an old fashion Acid ;)

Happy snorting B-)
Matt




> 
> 2008/5/12 Joel Esler <joel.esler at ...3027...>:
> 
> > So, if by displaying just the sig-id in the
> signature field, instead
> > of the name of the signature, this leads me to
> believe that you are
> > using barnyard to read unified files and output
> their contents into
> > the db.
> >
> > What the problem is, is not a problem with base,
> acid, or even Snort.
> > It's a misconfiguration in Barnyard.  You don't
> have your barnyard
> > reading your correct sid-msg.map file.
> >
> > Joel
> >
> > On May 12, 2008, at 3:31 PM, Rachmat Hidayat
> Al-Anshar wrote:
> >
> > > Yep, for a first step it will be great if you
> can
> > > just use BASE instead. Just hit this following
> link
> > > to download the latest version of BASE:
> > >
> >
>
http://optusnet.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gz
> > >
> > > There are two column named "signature" and
> "sig_name"
> > > on the "acid_event" table that contain the same
> value,
> > >
> > > signature ID (sig_id).
> > >
> > > In this case, what Berta really want is, how to
> > > display
> > > the signature description on "sig_name" field
> (not the
> > >
> > > signature ID), CMIIW.
> > >
> > > regard
> > > Matt
> > >
> > >
> > >
> > >
> > > --- Joel Esler <joel.esler at ...3027...> wrote:
> > >
> > >> First, you should switch to BASE
> > >> http://base.secureideas.net.  ACID
> > >> has been dead for at least 5 years.
> > >>
> > >> Second, do you mean that in the signature name
> field
> > >> you have a
> > >> number, and not the name of the alert?  Or are
> you
> > >> saying that you
> > >> want the description of the rule displayed
> > >> somewhere?
> > >>
> > >> Please clarify your statement so that we can
> make a
> > >> better helpful
> > >> suggestion.
> > >>
> > >> Joel
> > >>
> > >> On May 12, 2008, at 5:04 AM, Berta Alcala
> wrote:
> > >>
> > >>> I use snort+acid+mysql. When I display the
> alerts
> > >> there is a
> > >>> "Signature" column that is the signature ID.
> > >>> I need the "sig_name" field (which is the
> rule's
> > >> description)
> > >>> instead of the sig_id. The problem is in the
> > >> "acid_event" table,
> > >>> here there are "signature" and "sig_name",
> both
> > >> with the same value,
> > >>> the ID.
> > >>> How can I do to get the description? there are
> a
> > >> lot of files and I
> > >>> don't know which one I have to modify.
> > >>>
> > >>
> > >
>
-------------------------------------------------------------------------
> > >>> This SF.net email is sponsored by the 2008
> > >> JavaOne(SM) Conference
> > >>> Don't miss this year's exciting event. There's
> > >> still time to save
> > >>> $100.
> > >>> Use priority code J8TL2D2.
> > >>>
> > >>
> > >
> >
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________
> > >>> Snort-users mailing list
> > >>> Snort-users at lists.sourceforge.net
> > >>> Go to this URL to change user options or
> > >> unsubscribe:
> > >>>
> > >>
> > >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > >>> Snort-users list archive:
> > >>>
> > >>
> > >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >>
> > >>
> > >> --
> > >> Joel Esler
> > >>   joel.esler at ...3027...
> > >>   http://blog.joelesler.net
> > >> [m]
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
>
-------------------------------------------------------------------------
> > >> This SF.net email is sponsored by the 2008
> > >> JavaOne(SM) Conference
> > >> Don't miss this year's exciting event. There's
> still
> > >> time to save $100.
> > >> Use priority code J8TL2D2.
> > >>
> > >
> >
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> > >> _______________________________________________
> > >> Snort-users mailing list
> > >> Snort-users at lists.sourceforge.net
> > >> Go to this URL to change user options or
> > >> unsubscribe:
> > >>
> > >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > >> Snort-users list archive:
> > >>
> > >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > >
> > >
> >
>
____________________________________________________________________________________
> > > Be a better friend, newshound, and
> > > know-it-all with Yahoo! Mobile.  Try it now.
> >
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > >
> > >
>
-------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio
> 2008.
> > >
>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or
> unsubscribe:
> > >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > --
> > Joel Esler
> 
=== message truncated ===



      




More information about the Snort-users mailing list