[Snort-users] Snort Alert [1:P201XXX:1]

waldo kitty wkitty42 at ...14940...
Tue May 27 13:45:16 EDT 2014


On 5/26/2014 11:47 PM, Matheus Condi'ez wrote:
> Hey guys,
>
> I have snort instance grabbing rules and sid-msg.map from pulled pork - both VRT
> && ET rules.  I have a whole lot of ET ..... & just generic messages for rules.
>   but about 80% of firing events have no 'event name' just Snort Alert
> [1:201209:1] or similar...
>
> has anyone encountered this issue?  Im thinking its the sid-msg.map but why for
> some and not for others?

you need to ensure that your sid-msg.map is up to date after each pull... there 
are tools available to do this for you...

part of your problem is likely that a sid-msg.map is included in one or more 
rules sets but it only has entries for the rules in that set... if you are 
simply copying it over to the proper location then you are overwriting and 
loosing the others... as i understand it, pulledpork can/will generate the 
sid-msg.map for you... there's also a tool that came with oinkmaster that can do 
this but it generates the older format of sid-msg.map...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list