[Snort-users] Help with Alerts

Michael Steele michaels at ...9077...
Sun Sep 9 17:43:20 EDT 2012


Joel,

When you say 'will include the SIDS from your local ruleset', you are
referring to the local.rules file, correct?

If that's the case; as long as there is no local.rules file, oinkmasters
stand alone sid.msg.map utility should work fine.

For my applications PP is a little messy to implament.

I'd like to see a basic default run of that adds all the stock rulesets
based on the stock snort.conf. The basic default should be exactly like
manually adding a new rule set.  

Is it possible to use PP to only process the sid.msg.map? 

Kindest regards,
Michael...


-----Original Message-----
From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Sunday, September 09, 2012 4:26 PM
To: wkitty42 at ...14940...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Help with Alerts


On Sep 9, 2012, at 12:00 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 9/9/2012 09:09, James Lay wrote:
>> 
>> On Sep 8, 2012, at 6:31 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>> 
>>> On 9/8/2012 07:53, Joel Esler wrote:
>>>> If you are using pulledpork, it should generate your Sid-MSG.map 
>>>> for you. Are you using pulledpork?
>>> 
>>> and if you are not using pulledpork, there is a tool in the 
>>> utilities area for this... at least there was in the older versions 
>>> of snort... i guess it is still there?
>>> 
>>>  create-sidmap.pl /path/to/rules>  /path/to/sidmap/sid-msg.map
>> 
>> Actually I think that's part of oinkmaster :)
> 
> it might be... i dunno... i've seen it as a separate tool in several
places... 
> gotta dance a little dance if one has more than one rule directory,
though...

It is part of oinkmaster. 

As someone said earlier in the thread, you need to be using pulledpork to
generate the Sid-MSG.map because that will include the SIDS from you local
ruleset. 
Very important. 
----------------------------------------------------------------------------
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and threat
landscape has changed and how IT managers can respond. Discussions will
include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!






More information about the Snort-users mailing list