[Snort-users] Updating sid-msg.map

waldo kitty wkitty42 at ...14940...
Wed Nov 17 05:19:12 EST 2010


On 11/16/2010 20:46, Joel Esler wrote:
> Pulledpork does these functions by default.

yes yes yes but we do not have pp in our environment and no one has had a chance 
to break [any}every]thing seeing if they can get it into it... pp has (had?) a 
few things that are counter to how our setup operates but they may be different 
now... the main one of those was putting all rules into one file... that's a 
huge no-no in our environment...

> Sent from my iPhone
>
> On Nov 16, 2010, at 8:21 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>
>> On 11/15/2010 22:35, Chan, Wilson wrote:
>>> First off what is the sid-msg.map used for? I looked in my oinkmaster config
>>> docs and they recommend to update the sourcefire and emerging threats rule via
>>> the create-sidmap.pl script.
>>
>> FWIW: in my environment, our snort logs do not display the GID:SID so there was
>> only the MSG text to go by... when i developed one of the mods for my
>> environment, i added a search capability to locate the MSG text in the
>> sid-msg.map file which then showed us the GID:SID which is needed for other
>> functions...
>>
>> [aside] i'm trying to figure out a way to generate the sid-msg.map file from
>> multiple rules directories so that the GID 3 rules are included in the
>> sid-msg.map but time has been very short with a new paying gig that i've
>> found... 12 hour days of driving do not leave much for network security related
>> work :? :(




More information about the Snort-users mailing list