[Snort-users] Signature Message, PP, and sid-msg.map
cummingsj at ...11827...
Tue Dec 4 11:34:31 EST 2012
Yeah, I looked at a few of these sids, definitely was an issue with
improperly handling certain escaped chars (in the pcre for example)..
was fixed and committed a while back. Please let me know if the issue
On Sun, Dec 2, 2012 at 9:38 PM, Y M <snort at ...15979...> wrote:
> Here is a partial list of the sids, I still have to look at the remaining
> sids and update them.
> I will check the SVN, thanks for the info.
> CC: snort-users at lists.sourceforge.net
> From: cummingsj at ...11827...
> Subject: Re: [Snort-users] Signature Message, PP, and sid-msg.map
> Date: Sun, 2 Dec 2012 16:42:45 -0600
> To: snort at ...15979...
> It does generate the sid-msg.map file... Can you list the aids that were not
> included.... There was recently a bug filed and fixed that dealt with
> certain rules not being included (fixed in SVN)
> Sent from the iRoad
> On Dec 2, 2012, at 6:17, Y M <snort at ...15979...> wrote:
> This may have been discussed before but I did not find a definitive answer
> or an optimal solution. I use PulledPork to generate VRT rules (snort.rules)
> and the sid-msg.map, etc. The process completes successfully. I run Snort
> and alerts start showing up, however, I do not get signature messages
> (sig_name in the DB table) for some rules in there. I only get something
> like, for examples: "Snort Alert [1:255:19]". This happens to a considerable
> amount of rules.
> Since the rules are firing and they exist in the snort.rules file, this
> means that they have been processed by PulledPork, however, they do not have
> respective entries in the sid-msg.map file. I updated those manually, both
> in the database and the sid-msg.map file and now are showing up fine. As
> snort continues to run, I get new alerts with no signature message and do
> the updates again and so on.
> My question(s) is, does PulledPork generate the sid-msg.map file dynamically
> once it is run? If so, why some rules do not get mapped into the file?
> I have read in a group discussion (can't remember where!) that this is
> related to the reorganization of the rules and should go away once
> everything stabilizes, please correct if I am wrong.
> This can take an effort to get rules updated to show up properly every time
> the rules are updated and PulledPork is run.
> Any help would be appreciated. Thanks in advance.
> Keep yourself connected to Go Parallel:
> DESIGN Expert tips on starting your parallel project right.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort
More information about the Snort-users