[Snort-users] Updating sid-msg.map

waldo kitty wkitty42 at ...14940...
Wed Nov 17 23:11:48 EST 2010


On 11/17/2010 13:08, Lay, James wrote:
> Snag Oinkmaster, nab the create-sid.pl, put it in your path and:
>
> /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules>
> /usr/local/etc/snort/sid-msg.map

yes, we do this now...

> Should create a sid-msg.map out of all the goodies found in the rules
> dir.

the goal is to figure out how to have it handle /multiple/ rules directories

/foo/rules/VRT
/foo/rules/ET
/foo/rules/GID3

or are you saying that it should walk thru all of them because they are all 
under /foo/rules ??

i don't know if that has been tried by the testing team... they seem to actually 
want something "backwards" like

/foo/VRT/rules
/foo/ET/rules
/foo/GID3/rules

i'll give'em a kick to try it the other way and see what happens :)

>
> James
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Tuesday, November 16, 2010 6:22 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Updating sid-msg.map
>
> On 11/15/2010 22:35, Chan, Wilson wrote:
>> First off what is the sid-msg.map used for? I looked in my oinkmaster
>> config docs and they recommend to update the sourcefire and emerging
>> threats rule via the create-sidmap.pl script.
>
> FWIW: in my environment, our snort logs do not display the GID:SID so
> there was only the MSG text to go by... when i developed one of the mods
> for my environment, i added a search capability to locate the MSG text
> in the sid-msg.map file which then showed us the GID:SID which is needed
> for other functions...
>
> [aside] i'm trying to figure out a way to generate the sid-msg.map file
> from multiple rules directories so that the GID 3 rules are included in
> the sid-msg.map but time has been very short with a new paying gig that
> i've found... 12 hour days of driving do not leave much for network
> security related work :? :(
>
> ------------------------------------------------------------------------
> ------
> Beautiful is writing same markup. Internet Explorer 9 supports standards
> for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list