[Snort-users] Help with Alerts
jesler at ...1935...
Sun Sep 9 17:53:29 EDT 2012
You can run pulledpork in the configuration to only process already downloaded rules, yes.
But there are other benefits to pulledpork that outweigh the effort, IMHO.
On Sep 9, 2012, at 5:43 PM, "Michael Steele" <michaels at ...9077...> wrote:
> When you say 'will include the SIDS from your local ruleset', you are
> referring to the local.rules file, correct?
> If that's the case; as long as there is no local.rules file, oinkmasters
> stand alone sid.msg.map utility should work fine.
> For my applications PP is a little messy to implament.
> I'd like to see a basic default run of that adds all the stock rulesets
> based on the stock snort.conf. The basic default should be exactly like
> manually adding a new rule set.
> Is it possible to use PP to only process the sid.msg.map?
> Kindest regards,
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Sunday, September 09, 2012 4:26 PM
> To: wkitty42 at ...14940...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Help with Alerts
> On Sep 9, 2012, at 12:00 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>> On 9/9/2012 09:09, James Lay wrote:
>>> On Sep 8, 2012, at 6:31 PM, waldo kitty<wkitty42 at ...14940...> wrote:
>>>> On 9/8/2012 07:53, Joel Esler wrote:
>>>>> If you are using pulledpork, it should generate your Sid-MSG.map
>>>>> for you. Are you using pulledpork?
>>>> and if you are not using pulledpork, there is a tool in the
>>>> utilities area for this... at least there was in the older versions
>>>> of snort... i guess it is still there?
>>>> create-sidmap.pl /path/to/rules> /path/to/sidmap/sid-msg.map
>>> Actually I think that's part of oinkmaster :)
>> it might be... i dunno... i've seen it as a separate tool in several
>> gotta dance a little dance if one has more than one rule directory,
> It is part of oinkmaster.
> As someone said earlier in the thread, you need to be using pulledpork to
> generate the Sid-MSG.map because that will include the SIDS from you local
> Very important.
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
> landscape has changed and how IT managers can respond. Discussions will
> include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort
More information about the Snort-users