[Snort-users] Updating sid-msg.map
wkitty42 at ...14940...
Wed Nov 17 05:19:12 EST 2010
On 11/16/2010 20:46, Joel Esler wrote:
> Pulledpork does these functions by default.
yes yes yes but we do not have pp in our environment and no one has had a chance
to break [any}every]thing seeing if they can get it into it... pp has (had?) a
few things that are counter to how our setup operates but they may be different
now... the main one of those was putting all rules into one file... that's a
huge no-no in our environment...
> Sent from my iPhone
> On Nov 16, 2010, at 8:21 PM, waldo kitty<wkitty42 at ...14940...> wrote:
>> On 11/15/2010 22:35, Chan, Wilson wrote:
>>> First off what is the sid-msg.map used for? I looked in my oinkmaster config
>>> docs and they recommend to update the sourcefire and emerging threats rule via
>>> the create-sidmap.pl script.
>> FWIW: in my environment, our snort logs do not display the GID:SID so there was
>> only the MSG text to go by... when i developed one of the mods for my
>> environment, i added a search capability to locate the MSG text in the
>> sid-msg.map file which then showed us the GID:SID which is needed for other
>> [aside] i'm trying to figure out a way to generate the sid-msg.map file from
>> multiple rules directories so that the GID 3 rules are included in the
>> sid-msg.map but time has been very short with a new paying gig that i've
>> found... 12 hour days of driving do not leave much for network security related
>> work :? :(
More information about the Snort-users