[Snort-users] gen-msg file

Joel Esler jesler at ...1935...
Mon Jul 26 21:54:10 EDT 2010


Do you have barnyard pointing at the correct sidmsg.map file?

--
Sent from my iPad

On Jul 26, 2010, at 9:45 PM, ll <ibeginhere at ...11827...> wrote:

> Yes ,I have restart the barnyard too.
> 
> Need I rebuilt the database (mysql),because I saw the table signature ,the sig-name is number .like that:
> |    213 | Snort Alert [200:1000004:0]                                                                                    |           14 |            1 |       0 | 1000004 |    NULL | 
> +--------+------------------
> 
> 于 2010-7-27 9:21, Joel Esler 写道:
>> 
>> You need to restart barnyard. Not Snort. 
>> 
>> 
>> Sent from my iPhone
>> 
>> On Jul 26, 2010, at 8:55 PM, ll <ibeginhere at ...11827...> wrote:
>> 
>>> hei ,i tried it, it run the command "oinkmaster-2.0/contrib/create-sidmap.pl /etc/snort/rules/ > sid-msg.map
>>> " and I found the new sid-msg.map file ,some sig-msg info defined in my rules already in the new file .but even I restart the snort to load the config again ,there alarms msg still is number .
>>> what's problem there will be ?
>>> 
>>> 于 2010-7-26 19:07, Joel Esler 写道:
>>>> 
>>>> You need to use the create sig-msg.map script that comes with oinkmaster. 
>>>> 
>>>> --
>>>> Sent from my iPad
>>>> 
>>>> On Jul 26, 2010, at 2:42 AM, ll <ibeginhere at ...11827...> wrote:
>>>> 
>>>>   
>>>>> yes, I read that from the user  manual .I wrote a rule like that "gid:200;sid:1000001;rev:1;classtype:web-application-attack;)" 
>>>>> and I modified the gen-msg.map file 
>>>>> # Format: generatorid || alertid || MSG
>>>>> 200 || 1 || test 
>>>>> and the sid-msg.map file
>>>>> 1000001 || browse directory || url,doc.emergingthreats.net/bin/view/Main/TorRules
>>>>> but, the signature indicate in the BASE like that 
>>>>> Snort Alert [200:1000001:0]
>>>>> 
>>>>> I want to some message can indicate in the BASE,but not just the number .
>>>>> 
>>>>> 于 2010-7-23 19:55, Joel Esler 写道:
>>>>>     
>>>>>> Generatorid is the number of the individual generator (preprocessor, rule), alert id is the number of the individual alert, within that generator.
>>>>>> 
>>>>>> The MSG describes the first two.
>>>>>> 
>>>>>> J
>>>>>> 
>>>>>> On Jul 23, 2010, at 6:02 AM, ll wrote:
>>>>>> 
>>>>>>   
>>>>>>       
>>>>>>> hi,all
>>>>>>> in the file gen-msg.map
>>>>>>> # Format: generatorid || alertid || MSG
>>>>>>> 
>>>>>>> what is that alertid means ? there are not mentioned in the users manual ?
>>>>>>>     
>>>>>>>         
>>>>>>   
>>>>>>       
>>>>> 
>>>> 
>>>>   
>>> 
>> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100726/9c769f0c/attachment.html>


More information about the Snort-users mailing list