[Snort-users] undescribed alerts

Rick Chisholm rchisholm at ...15434...
Mon Nov 14 11:55:56 EST 2011


it looks like pulledpork is failing at this, but I'm not too sure it's
honoring disablesid.conf either since the upgrades...


On Mon, November 14, 2011 9:51 am, JJC wrote:
> Pulled pork automatically does this for you
>
> Sent from my iPad
>
> On Nov 14, 2011, at 9:44, Scott Runnels <srunnels at ...11827...> wrote:
>
>> Hi Rick,
>>
>> Whenever this has happened to me it's always turned out to be the
>> sid-msg.map file.  Rebuilding usually solves the problem for me.
>>
>> If you are using oinkmaster I believe it comes with create-sidemap.pl
>> something like:  create-sidmap.pl /path/to/rules/ >
>> /path/to/snort/sid-msg.map
>>
>> Good luck,
>> Scott
>>
>>
>> On Nov 14, 2011, at 9:07 AM, Rick Chisholm wrote:
>>
>>> I'm getting alerts in BASE that look like:
>>>
>>> Snort Alert [124:9:0]
>>> Snort Alert {120:8:0]
>>>
>>> Instead of the usual, more descriptive alerts.  I think it has
>>> something
>>> to do with *.map or *.config files, but I'm not entirely certain.
>>>
>>>
>>> --
>>> Rick Chisholm
>>> Systems Administrator
>>> Parallel42
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> RSA(R) Conference 2012
>>> Save $700 by Nov 18
>>> Register now
>>> http://p.sf.net/sfu/rsa-sfdev2dev1
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>
>> ------------------------------------------------------------------------------
>> RSA(R) Conference 2012
>> Save $700 by Nov 18
>> Register now
>> http://p.sf.net/sfu/rsa-sfdev2dev1
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>


-- 
Rick Chisholm
Systems Administrator
Parallel42





More information about the Snort-users mailing list