[Snort-users] Help with Alerts

Michael Steele michaels at ...9077...
Sun Sep 9 20:50:41 EDT 2012


Just talking processing the sig.msg.map; as long as you don't have an active
local.rules file, running the stand alone 'create-sidmap.pl' file found in
the very latest release of Oinkmaster, will prove to do exactly what PP
does, as far as processing the sig.msg.map file?

If I could isolate the PP process of updating the sig.msg.map to do it as
quickly as the 'create-sidmap.pl' file does (about 2 seconds) I would
replace the 'create-sidmap.pl' with PP, and leave it up to the end users to
activate the auto rule updating portion.

Is there some instructions on processing just the sig.msg.map file using PP?

Kindest regards,
Michael...

-----Original Message-----
From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Sunday, September 09, 2012 5:53 PM
To: Michael Steele
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Help with Alerts

You can run pulledpork in the configuration to only process already
downloaded rules, yes.  

But there are other benefits to pulledpork that outweigh the effort, IMHO. 

--
Joel Esler

On Sep 9, 2012, at 5:43 PM, "Michael Steele" <michaels at ...9077...> wrote:

> Joel,
> 
> When you say 'will include the SIDS from your local ruleset', you are 
> referring to the local.rules file, correct?
> 
> If that's the case; as long as there is no local.rules file, 
> oinkmasters stand alone sid.msg.map utility should work fine.
> 
> For my applications PP is a little messy to implament.
> 
> I'd like to see a basic default run of that adds all the stock 
> rulesets based on the stock snort.conf. The basic default should be 
> exactly like manually adding a new rule set.
> 
> Is it possible to use PP to only process the sid.msg.map? 
> 
> Kindest regards,
> Michael...
> 
> 
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Sunday, September 09, 2012 4:26 PM
> To: wkitty42 at ...14940...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Help with Alerts
> 
> 
> On Sep 9, 2012, at 12:00 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> 
>> On 9/9/2012 09:09, James Lay wrote:
>>> 
>>> On Sep 8, 2012, at 6:31 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>>> 
>>>> On 9/8/2012 07:53, Joel Esler wrote:
>>>>> If you are using pulledpork, it should generate your Sid-MSG.map 
>>>>> for you. Are you using pulledpork?
>>>> 
>>>> and if you are not using pulledpork, there is a tool in the 
>>>> utilities area for this... at least there was in the older versions 
>>>> of snort... i guess it is still there?
>>>> 
>>>> create-sidmap.pl /path/to/rules>  /path/to/sidmap/sid-msg.map
>>> 
>>> Actually I think that's part of oinkmaster :)
>> 
>> it might be... i dunno... i've seen it as a separate tool in several
> places... 
>> gotta dance a little dance if one has more than one rule directory,
> though...
> 
> It is part of oinkmaster. 
> 
> As someone said earlier in the thread, you need to be using pulledpork 
> to generate the Sid-MSG.map because that will include the SIDS from 
> you local ruleset.
> Very important. 
> ----------------------------------------------------------------------
> ------
> --
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. 
> Discussions will include endpoint security, mobile security and the 
> latest in malware threats. 
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
> 
> 

----------------------------------------------------------------------------
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and threat
landscape has changed and how IT managers can respond. Discussions will
include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!






More information about the Snort-users mailing list