[Snort-users] Linking rules in BASE

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Aug 24 12:15:29 EDT 2010


BASE has a link that you can see the actual rule text (from the rule file downloaded), if you put it in a specific directory and enable the option.  It just greps the rule text out of the file.  It's very useful sometimes to see exactly why a rule fired off on the traffic.

________________________________
From: JJC [mailto:cummingsj at ...11827...]
Sent: Tuesday, August 24, 2010 9:00 AM
To: Jefferson, Shawn
Cc: Kun, Mike; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Linking rules in BASE

Looks like I'll have to setup BASE to see exactly what you are talking about here... I suspect it's the rules .txt files that contain the rule documentation that BASE is looking for, but I'm not exactly sure since I don't use BASE.. do you have a screenshot/pastebin or something that I can have a quick look at..
On Tue, Aug 24, 2010 at 9:47 AM, Jefferson, Shawn <Shawn.Jefferson at ...14534......<mailto:Shawn.Jefferson at ...14448...>> wrote:
Hi,

I am copying the snort.rules and emerging.rules files, yes.  Is the rule sid that you are trying to lookup even in that directory?  Also, check the permissions/ownership on the file, that may also be an issue (I think I had that issue when I first set this up.)



-----Original Message-----
From: Kun, Mike [mailto:mkun at ...6382...<mailto:mkun at ...6382...>]
Sent: Tuesday, August 24, 2010 8:43 AM
To: Jefferson, Shawn; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: RE: Linking rules in BASE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are you copying the snort.rules file?
I tried that on my install, but I'm still getting the same errer. It looks to me like BASE can't query the snort.rules file correctly

- -Mike


> -----Original Message-----
> From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...<mailto:Shawn.Jefferson at ...14448...>]
> Sent: Tuesday, August 24, 2010 11:39 AM
> To: Kun, Mike; snort-users at lists.sourceforge.net<mailto:snort-users at ...7287....sourceforge.net>
> Subject: RE: Linking rules in BASE
>
> Hi,
>
> I have a cron job that copies the text rule files from the location
> pulledpork puts them into the base www directory.  Seems to work for
> me.
>
> -----Original Message-----
> From: Kun, Mike [mailto:mkun at ...6382...<mailto:mkun at ...6382...>]
> Sent: Tuesday, August 24, 2010 8:13 AM
> To: snort-users at lists.sourceforge.net<mailto:snort-users at ...2652...e.net>
> Subject: [Snort-users] Linking rules in BASE
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is there a way to get the "rule" links working when using pulledpork
> to pull in a snort.rules file?
> When I symlink BASE to the file I get " ERROR: Could not find
> "sig:XXXXX;" in directory "rules/"."
> In that directory is the snort.rules file the pulledpork created.
> Any advice?
>
> - -Mike
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with OutlookGnuPG v1.2.3667
>
> iQEcBAEBAgAGBQJMc+FuAAoJEMhWEt1OJPG/OBAIAKaIHlg4t9rp66DQ/3bz5Wz9
> tAmdHku8qcRFNkzUPGHs8xBZRpHYdsMM8Rlo6byjJjQXQEMN8URroGRKjaatRoF3
> wSIfmWSJfCgSH9bap53qRGJmXmKjNX1Qm3EPiL5ixrEjiFcucdJ3FcD5HU0EZcOB
> vxjWUDxBtqCyLMXGy2v2rH3WYqX5E6ktCyZvC8tj8vDrWLjxO4hBmsOm7SPbdKxr
> hUql6VyMC8uRQ468N4Ji0HMBq0njHK8Z540wkGyjMN+HuBvK7Jh0te+YbtCVepPS
> Hd4thQXKSfD72tsUL7UJ9RIBSARpu2BOxRE/ca8TiLgGMslslqCaruKDVv7yyOc=
> =NBBe
> -----END PGP SIGNATURE-----
>
> ----------------------------------------------------------------------
> -
> -------
> Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
> Be part of this innovative community and reach millions of netbook
> users worldwide. Take advantage of special opportunities to increase
> revenue and speed time-to-market. Join now, and jumpstart your future.
> http://p.sf.net/sfu/intel-atom-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with OutlookGnuPG v1.2.3667

iQEcBAEBAgAGBQJMc+iUAAoJEMhWEt1OJPG/yTMIANz2mF+Fag/ArWlD4SZUWfrd
A0AynLSC3JRCeEHhaJQKV5W1eWsvI+tqxLAcU9BDRzgwCtb4Ru2zYfds4QNnNwK/
pj+h6Xp0LMF/1qp9fQrUZK22qrtwghY1/V87hT+DojilJJhCOJrzUYbjsU9KxKAy
I9K8blvZng7rCZRQduqugft3Tp6ASEbylKOgxqHT6eKF1JcWutys8HIlPm9T7X2r
SccRsi7WkVmxJPpwBuIYA3CfN6pakZ1vkAXX2rg/6BMFUm9NfQfPg+X1Wo3edprr
8qfLaic/yc9rAx87oCLvJv8tPgeVbd1i+W0cGQVg4DaBi/DHI0o+/1+CsC5wit4=
=NZGf
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100824/07a27378/attachment.html>


More information about the Snort-users mailing list