[Snort-users] Updating sid-msg.map

Jason Wallace jason.r.wallace at ...11827...
Thu Nov 18 07:48:23 EST 2010


I haven't used this in a while but I'm pretty sure you can do...

create-sidmap.pl /foo/rules/VRT/ /foo/rules/ET/ /foo/rules/GID3 > sid-msg.map



On Wed, Nov 17, 2010 at 11:11 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 11/17/2010 13:08, Lay, James wrote:
>> Snag Oinkmaster, nab the create-sid.pl, put it in your path and:
>>
>> /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules>
>> /usr/local/etc/snort/sid-msg.map
>
> yes, we do this now...
>
>> Should create a sid-msg.map out of all the goodies found in the rules
>> dir.
>
> the goal is to figure out how to have it handle /multiple/ rules directories
>
> /foo/rules/VRT
> /foo/rules/ET
> /foo/rules/GID3
>
> or are you saying that it should walk thru all of them because they are all
> under /foo/rules ??
>
> i don't know if that has been tried by the testing team... they seem to actually
> want something "backwards" like
>
> /foo/VRT/rules
> /foo/ET/rules
> /foo/GID3/rules
>
> i'll give'em a kick to try it the other way and see what happens :)
>
>>
>> James
>>
>> -----Original Message-----
>> From: waldo kitty [mailto:wkitty42 at ...14940...]
>> Sent: Tuesday, November 16, 2010 6:22 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Updating sid-msg.map
>>
>> On 11/15/2010 22:35, Chan, Wilson wrote:
>>> First off what is the sid-msg.map used for? I looked in my oinkmaster
>>> config docs and they recommend to update the sourcefire and emerging
>>> threats rule via the create-sidmap.pl script.
>>
>> FWIW: in my environment, our snort logs do not display the GID:SID so
>> there was only the MSG text to go by... when i developed one of the mods
>> for my environment, i added a search capability to locate the MSG text
>> in the sid-msg.map file which then showed us the GID:SID which is needed
>> for other functions...
>>
>> [aside] i'm trying to figure out a way to generate the sid-msg.map file
>> from multiple rules directories so that the GID 3 rules are included in
>> the sid-msg.map but time has been very short with a new paying gig that
>> i've found... 12 hour days of driving do not leave much for network
>> security related work :? :(
>>
>> ------------------------------------------------------------------------
>> ------
>> Beautiful is writing same markup. Internet Explorer 9 supports standards
>> for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
>> Spend less time writing and  rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today
>> http://p.sf.net/sfu/msIE9-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> ------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
>> Spend less time writing and  rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today
>> http://p.sf.net/sfu/msIE9-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list