[Snort-users] Updating sid-msg.map

Tamara Fisher tammi888 at ...11827...
Wed Apr 17 09:05:39 EDT 2013


Thanks YM.

This still baffles me. PulledPork seems to be doing what it should be
doing. It runs nightly and I see my custom rules as entries in the
sid-msg.map file. My alerts go to Splunk but Splunk just pulls directly
from /var/log/barnyard2/alert file. I do not have a database. The
disconnect appears to be Barnyard2. Barnyard2 and snort are restarted
together nightly with my pulledpork script. I use the following command to
start Barnyard2 which references the sid-msg.map.

$ /usr/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort
-f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map \
    -S /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/null &

but the alerts that are written to /var/log/barnyard2/alert are still the
generic ones.



On Wed, Apr 17, 2013 at 6:35 AM, Y M <snort at ...15979...> wrote:

>  Sorry, I forgot to mention that you may need to add a policy type to
> your custom rules so that if you run pulledpork with specific policy
> (balanced, security, etc) it will pick up your custom rules as well.
>  ------------------------------
> From: Tamara Fisher <tammi888 at ...11827...>
> Sent: 4/16/2013 10:29 PM
> To: Y M <snort at ...15979...>
>
> Subject: Re: [Snort-users] Updating sid-msg.map
>
>  ok, awesome. thanks for your help
>
>
> On Tue, Apr 16, 2013 at 3:19 PM, Y M <snort at ...15979...> wrote:
>
>
>  Are they showing generic in the GUI you use? If so, then you have to
> update the database as well from the generic "Snort Alert" message to the
> actual message in your rule.
>  ------------------------------
> Date: Tue, 16 Apr 2013 15:13:27 -0400
> Subject: Re: [Snort-users] Updating sid-msg.map
> From: tammi888 at ...11827...
> To: snort at ...15979...
>
>
> Thanks YM. So I went to manually add my new local rules to the sid-msg.map
> and they are already there (I have pulledpork setup as you do already) but
> alerts that are triggered for those rules are still generic. Any ideas?
>
>
> On Tue, Apr 16, 2013 at 2:45 PM, Y M <snort at ...15979...> wrote:
>
>  The reason they show up as a generic "Snort Alert" is because barnyard
> did not find an entry for the rule in the sid-msg.map.
>
> The way I do it to fix existing rules, I add the entry for the rule
> manually to the sid-msg.map (following the same format), and for the
> database entries, run the following sql command against Snort database
> to select the generic "Snort Alert":
>
> SELECT sig_name FROM signature WHERE sig_sid=<generic_rule_sid>
>
> This will return the rule, then you can either edit it manually or issue
> and update command.
>
> I follow the same procedure when I create new rules, but since they I
> added them to the sid-msg.map first, barnyard picks up the entry from there
> and inserts the correct value into the database.  Also my pulledpork has
> the path to my local rules file setup to it picks my rules the next time I
> run pulledpork and adds them to the update sid-msg.map
>
>  ------------------------------
> Date: Tue, 16 Apr 2013 14:13:16 -0400
> From: tammi888 at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Updating sid-msg.map
>
>
> Hi. I'm having issues when I am creating new local rules where rules show
> up with generic name 'Snort Alert' instead of what is in the msg field.
> Google tells me that barnyard2 is able to translate the msg field from
> sid-msg.map but I also read that running pulled pork should update that
> file.
>
> My rules are still the same though after running pulledpork. Do I need to
> update this manually? How do I fix it?
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use our
> toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit
> http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130417/9d23b1be/attachment.html>


More information about the Snort-users mailing list