[Snort-users] Updating sid-msg.map

Y M snort at ...15979...
Wed Apr 17 06:35:31 EDT 2013


Sorry, I forgot to mention that you may need to add a policy type to your custom rules so that if you run pulledpork with specific policy (balanced, security, etc) it will pick up your custom rules as well.
________________________________
From: Tamara Fisher<mailto:tammi888 at ...11827...>
Sent: ‎4/‎16/‎2013 10:29 PM
To: Y M<mailto:snort at ...15979...>
Subject: Re: [Snort-users] Updating sid-msg.map

ok, awesome. thanks for your help


On Tue, Apr 16, 2013 at 3:19 PM, Y M <snort at ...15979...> wrote:

>
>  Are they showing generic in the GUI you use? If so, then you have to
> update the database as well from the generic "Snort Alert" message to the
> actual message in your rule.
> ------------------------------
> Date: Tue, 16 Apr 2013 15:13:27 -0400
> Subject: Re: [Snort-users] Updating sid-msg.map
> From: tammi888 at ...11827...
> To: snort at ...15979...
>
>
> Thanks YM. So I went to manually add my new local rules to the sid-msg.map
> and they are already there (I have pulledpork setup as you do already) but
> alerts that are triggered for those rules are still generic. Any ideas?
>
>
> On Tue, Apr 16, 2013 at 2:45 PM, Y M <snort at ...15979...> wrote:
>
> The reason they show up as a generic "Snort Alert" is because barnyard did
> not find an entry for the rule in the sid-msg.map.
>
> The way I do it to fix existing rules, I add the entry for the rule
> manually to the sid-msg.map (following the same format), and for the
> database entries, run the following sql command against Snort database
> to select the generic "Snort Alert":
>
> SELECT sig_name FROM signature WHERE sig_sid=<generic_rule_sid>
>
> This will return the rule, then you can either edit it manually or issue
> and update command.
>
> I follow the same procedure when I create new rules, but since they I
> added them to the sid-msg.map first, barnyard picks up the entry from there
> and inserts the correct value into the database.  Also my pulledpork has
> the path to my local rules file setup to it picks my rules the next time I
> run pulledpork and adds them to the update sid-msg.map
>
> ------------------------------
> Date: Tue, 16 Apr 2013 14:13:16 -0400
> From: tammi888 at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Updating sid-msg.map
>
>
> Hi. I'm having issues when I am creating new local rules where rules show
> up with generic name 'Snort Alert' instead of what is in the msg field.
> Google tells me that barnyard2 is able to translate the msg field from
> sid-msg.map but I also read that running pulled pork should update that
> file.
>
> My rules are still the same though after running pulledpork. Do I need to
> update this manually? How do I fix it?
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use our
> toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit
> http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130417/221db13a/attachment.html>


More information about the Snort-users mailing list