[Snort-users] Help with Alerts

Joel Esler jesler at ...1935...
Sun Sep 9 17:53:29 EDT 2012


You can run pulledpork in the configuration to only process already downloaded rules, yes.  

But there are other benefits to pulledpork that outweigh the effort, IMHO. 

--
Joel Esler

On Sep 9, 2012, at 5:43 PM, "Michael Steele" <michaels at ...9077...> wrote:

> Joel,
> 
> When you say 'will include the SIDS from your local ruleset', you are
> referring to the local.rules file, correct?
> 
> If that's the case; as long as there is no local.rules file, oinkmasters
> stand alone sid.msg.map utility should work fine.
> 
> For my applications PP is a little messy to implament.
> 
> I'd like to see a basic default run of that adds all the stock rulesets
> based on the stock snort.conf. The basic default should be exactly like
> manually adding a new rule set.  
> 
> Is it possible to use PP to only process the sid.msg.map? 
> 
> Kindest regards,
> Michael...
> 
> 
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Sunday, September 09, 2012 4:26 PM
> To: wkitty42 at ...14940...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Help with Alerts
> 
> 
> On Sep 9, 2012, at 12:00 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> 
>> On 9/9/2012 09:09, James Lay wrote:
>>> 
>>> On Sep 8, 2012, at 6:31 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>>> 
>>>> On 9/8/2012 07:53, Joel Esler wrote:
>>>>> If you are using pulledpork, it should generate your Sid-MSG.map 
>>>>> for you. Are you using pulledpork?
>>>> 
>>>> and if you are not using pulledpork, there is a tool in the 
>>>> utilities area for this... at least there was in the older versions 
>>>> of snort... i guess it is still there?
>>>> 
>>>> create-sidmap.pl /path/to/rules>  /path/to/sidmap/sid-msg.map
>>> 
>>> Actually I think that's part of oinkmaster :)
>> 
>> it might be... i dunno... i've seen it as a separate tool in several
> places... 
>> gotta dance a little dance if one has more than one rule directory,
> though...
> 
> It is part of oinkmaster. 
> 
> As someone said earlier in the thread, you need to be using pulledpork to
> generate the Sid-MSG.map because that will include the SIDS from you local
> ruleset. 
> Very important. 
> ----------------------------------------------------------------------------
> --
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
> landscape has changed and how IT managers can respond. Discussions will
> include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
> 
> 




More information about the Snort-users mailing list