[Snort-users] Signature Message, PP, and sid-msg.map

JJC cummingsj at ...11827...
Tue Dec 4 11:34:31 EST 2012


Yeah, I looked at a few of these sids, definitely was an issue with
improperly handling certain escaped chars (in the pcre for example)..
was fixed and committed a while back.  Please let me know if the issue
persists.

JJC

On Sun, Dec 2, 2012 at 9:38 PM, Y M <snort at ...15979...> wrote:
> Here is a partial list of the sids, I still have to look at the remaining
> sids and update them.
>
> 15167,15168,16282,23493,3691,15147,11257,5693,5760,16313,15306,6467,23098,24229,255,15570,13864,8375,11192,20278,4152,5998,5999,16301,2707,23970,9646,15873,23256,16300,
> 21849,21845,15415,15420,15184,23492,13364,17579,5710,16482,15362
>
> I will check the SVN, thanks for the info.
>
> YM
>
> ________________________________
> CC: snort-users at lists.sourceforge.net
> From: cummingsj at ...11827...
> Subject: Re: [Snort-users] Signature Message, PP, and sid-msg.map
> Date: Sun, 2 Dec 2012 16:42:45 -0600
> To: snort at ...15979...
>
>
> It does generate the sid-msg.map file... Can you list the aids that were not
> included.... There was recently a bug filed and fixed that dealt with
> certain rules not being included (fixed in SVN)
>
> Sent from the iRoad
>
> On Dec 2, 2012, at 6:17, Y M <snort at ...15979...> wrote:
>
> This may have been discussed before but I did not find a definitive answer
> or an optimal solution. I use PulledPork to generate VRT rules (snort.rules)
> and the sid-msg.map, etc. The process completes successfully. I run Snort
> and alerts start showing up, however, I do not get signature messages
> (sig_name in the DB table) for some rules in there. I only get something
> like, for examples: "Snort Alert [1:255:19]". This happens to a considerable
> amount of rules.
>
> Since the rules are firing and they exist in the snort.rules file, this
> means that they have been processed by PulledPork, however, they do not have
> respective entries in the sid-msg.map file. I updated those manually, both
> in the database and the sid-msg.map file and now are showing up fine. As
> snort continues to run, I get new alerts with no signature message and do
> the updates again and so on.
>
> My question(s) is, does PulledPork generate the sid-msg.map file dynamically
> once it is run? If so, why some rules do not get mapped into the file?
>
> I have read in a group discussion (can't remember where!) that this is
> related to the reorganization of the rules and should go away once
> everything stabilizes, please correct if I am wrong.
>
> This can take an effort to get rules updated to show up properly every time
> the rules are updated and PulledPork is run.
>
> Any help would be appreciated. Thanks in advance.
> YM
>
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel:
> DESIGN Expert tips on starting your parallel project right.
> http://goparallel.sourceforge.net/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list