[Snort-users] Pulledpork, multiple instances, and sid-msg.map

waldo kitty wkitty42 at ...14940...
Wed Jul 24 22:39:48 EDT 2013


On 7/24/2013 17:29, JJ Cummings wrote:
> This is how I would do it...

if you would maintain a separate conf file that has all the rules enabled in it, 
then why not just make the sid-msg.map file go ahead and contain them all to 
start with like it was "in the olden days"?? why limit the ones in the file to 
only those that are in used rules files and enabled? the software that uses the 
sid-msg.map file doesn't care that the rules aren't used or enabled any more 
when it has entries for them in the logs or database already ;)

> Sent from the iRoad
>
> On Jul 24, 2013, at 16:31, Eoin Miller<eoin.miller at ...14586...>  wrote:
>
>> On 7/24/2013 20:23, James Lay wrote:
>>> Reposted from the pulled pork google group (no response)...anyone have
>>> any hints? I've noticed that some rules aren't in my sid-msg.map.  I
>>> have multiple snort.confs that have different rulesets enabled.  How can
>>> I get pp to make the sid-msg.map with all the sig ID's?
>>>
>>> Thank you.
>>>
>>> James
>>
>> Maintain a separate conf that has all rules enabled and just copy the
>> sid-msg.map file out of that?



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list