[Snort-users] Signature Message, PP, and sid-msg.map

Jeremy Hoel jthoel at ...11827...
Sun Dec 2 18:01:49 EST 2012


Did this have to do with the post two weeks ago about some of the newer
preprocessor sid:gids not being added?
On Dec 2, 2012 3:46 PM, "JJ Cummings" <cummingsj at ...11827...> wrote:

> It does generate the sid-msg.map file... Can you list the aids that were
> not included.... There was recently a bug filed and fixed that dealt with
> certain rules not being included (fixed in SVN)
>
> Sent from the iRoad
>
> On Dec 2, 2012, at 6:17, Y M <snort at ...15979...> wrote:
>
> This may have been discussed before but I did not find a definitive
> answer or an optimal solution. I use PulledPork to generate VRT rules
> (snort.rules) and the sid-msg.map, etc. The process completes successfully.
> I run Snort and alerts start showing up, however, I do not get signature
> messages (sig_name in the DB table) for some rules in there. I only get
> something like, for examples: "Snort Alert [1:255:19]". This happens to a
> considerable amount of rules.
>
> Since the rules are firing and they exist in the snort.rules file, this
> means that they have been processed by PulledPork, however, they do not
> have respective entries in the sid-msg.map file. I updated those manually,
> both in the database and the sid-msg.map file and now are showing up fine.
> As snort continues to run, I get new alerts with no signature message and
> do the updates again and so on.
>
> My question(s) is, does PulledPork generate the sid-msg.map file
> dynamically once it is run? If so, why some rules do not get mapped into
> the file?
>
> I have read in a group discussion (can't remember where!) that this is
> related to the reorganization of the rules and should go away once
> everything stabilizes, please correct if I am wrong.
>
> This can take an effort to get rules updated to show up properly every
> time the rules are updated and PulledPork is run.
>
> Any help would be appreciated. Thanks in advance.
> YM
>
>
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel:
> DESIGN Expert tips on starting your parallel project right.
> http://goparallel.sourceforge.net/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel:
> DESIGN Expert tips on starting your parallel project right.
> http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121202/680a87d7/attachment.html>


More information about the Snort-users mailing list