[Snort-users] Updating sid-msg.map

Nigel Houghton nhoughton at ...1935...
Tue Nov 16 09:03:29 EST 2010


On Mon, 15 Nov 2010 17:35:02 -1000, Chan, Wilson wrote:
> First off what is the sid-msg.map used for? I looked in my oinkmaster 
> config docs and they recommend to update the sourcefire and emerging 
> threats rule via the create-sidmap.pl script.
> Since I have oinkmaster dumping ET and sourcefire rules to 
> /etc/snort/rules do I just run the perl script like this?
>  
> ===============================================
> Create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map 
> ===============================================
>  
> I’ve also googled and found this as another alternative.
>  
> 
=========================================================================================================================
> Cron script to refresh sid-msg.map otherwise you will get 
> unidentified alerts:
>  
> #!/bin/sh
> /usr/local/bin/oinkmaster -o 
> /usr/local/etc/snort/rules/emerging-threads -C 
> /usr/local/etc/oinkmaster.emerging.conf
> /bin/rm /usr/local/etc/snort/sid-msg.map
> /bin/cat /usr/local/etc/snort/sid-msg.map-sample 
> /usr/local/etc/snort/rules/emerging-threads/emerging-sid-msg.map > 
> /usr/local/etc/snort/sid-msg.map
> /usr/local/etc/rc.d/snort restart
> 
==========================================================================================================================
>  
> Wilson

I do not suggest you use that cron script.

I do suggest using PulledPork and have that handle everything.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/


More information about the Snort-users mailing list