[Snort-users] Help with Alerts

Joel Esler jesler at ...1935...
Sun Sep 9 21:21:27 EDT 2012


I would put in a feature request on the pulledpork website for that functionality. I know JJ wants to get out a new release, so try and get it in quick!

--
Joel Esler
Sent from my iPad 

On Sep 9, 2012, at 8:50 PM, "Michael Steele" <michaels at ...9077...> wrote:

> Just talking processing the sig.msg.map; as long as you don't have an active
> local.rules file, running the stand alone 'create-sidmap.pl' file found in
> the very latest release of Oinkmaster, will prove to do exactly what PP
> does, as far as processing the sig.msg.map file?
> 
> If I could isolate the PP process of updating the sig.msg.map to do it as
> quickly as the 'create-sidmap.pl' file does (about 2 seconds) I would
> replace the 'create-sidmap.pl' with PP, and leave it up to the end users to
> activate the auto rule updating portion.
> 
> Is there some instructions on processing just the sig.msg.map file using PP?
> 
> Kindest regards,
> Michael...
> 
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Sunday, September 09, 2012 5:53 PM
> To: Michael Steele
> Cc: <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Help with Alerts
> 
> You can run pulledpork in the configuration to only process already
> downloaded rules, yes.  
> 
> But there are other benefits to pulledpork that outweigh the effort, IMHO. 
> 
> --
> Joel Esler
> 
> On Sep 9, 2012, at 5:43 PM, "Michael Steele" <michaels at ...9077...> wrote:
> 
>> Joel,
>> 
>> When you say 'will include the SIDS from your local ruleset', you are 
>> referring to the local.rules file, correct?
>> 
>> If that's the case; as long as there is no local.rules file, 
>> oinkmasters stand alone sid.msg.map utility should work fine.
>> 
>> For my applications PP is a little messy to implament.
>> 
>> I'd like to see a basic default run of that adds all the stock 
>> rulesets based on the stock snort.conf. The basic default should be 
>> exactly like manually adding a new rule set.
>> 
>> Is it possible to use PP to only process the sid.msg.map? 
>> 
>> Kindest regards,
>> Michael...
>> 
>> 
>> -----Original Message-----
>> From: Joel Esler [mailto:jesler at ...1935...]
>> Sent: Sunday, September 09, 2012 4:26 PM
>> To: wkitty42 at ...14940...
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Help with Alerts
>> 
>> 
>> On Sep 9, 2012, at 12:00 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>> 
>>> On 9/9/2012 09:09, James Lay wrote:
>>>> 
>>>> On Sep 8, 2012, at 6:31 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>>>> 
>>>>> On 9/8/2012 07:53, Joel Esler wrote:
>>>>>> If you are using pulledpork, it should generate your Sid-MSG.map 
>>>>>> for you. Are you using pulledpork?
>>>>> 
>>>>> and if you are not using pulledpork, there is a tool in the 
>>>>> utilities area for this... at least there was in the older versions 
>>>>> of snort... i guess it is still there?
>>>>> 
>>>>> create-sidmap.pl /path/to/rules>  /path/to/sidmap/sid-msg.map
>>>> 
>>>> Actually I think that's part of oinkmaster :)
>>> 
>>> it might be... i dunno... i've seen it as a separate tool in several
>> places... 
>>> gotta dance a little dance if one has more than one rule directory,
>> though...
>> 
>> It is part of oinkmaster. 
>> 
>> As someone said earlier in the thread, you need to be using pulledpork 
>> to generate the Sid-MSG.map because that will include the SIDS from 
>> you local ruleset.
>> Very important. 
>> ----------------------------------------------------------------------
>> ------
>> --
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. 
>> Discussions will include endpoint security, mobile security and the 
>> latest in malware threats. 
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
>> 
>> 
> 
> ----------------------------------------------------------------------------
> --
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
> landscape has changed and how IT managers can respond. Discussions will
> include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
> 
> 




More information about the Snort-users mailing list