[Snort-users] Snort Alert [1:P201XXX:1]

Matheus Condi'ez conma293 at ...11827...
Tue May 27 23:03:53 EDT 2014


hmmmm I thought pulledpork generated an absolute sid-msg.map just as it
does snort.rules as opposed to merely rolling updates...?

I will have a look at the gen-msg.map , that may be where the fault lies as
I have not dragged that across


On Wed, May 28, 2014 at 5:45 AM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 5/26/2014 11:47 PM, Matheus Condi'ez wrote:
> > Hey guys,
> >
> > I have snort instance grabbing rules and sid-msg.map from pulled pork -
> both VRT
> > && ET rules.  I have a whole lot of ET ..... & just generic messages for
> rules.
> >   but about 80% of firing events have no 'event name' just Snort Alert
> > [1:201209:1] or similar...
> >
> > has anyone encountered this issue?  Im thinking its the sid-msg.map but
> why for
> > some and not for others?
>
> you need to ensure that your sid-msg.map is up to date after each pull...
> there
> are tools available to do this for you...
>
> part of your problem is likely that a sid-msg.map is included in one or
> more
> rules sets but it only has entries for the rules in that set... if you are
> simply copying it over to the proper location then you are overwriting and
> loosing the others... as i understand it, pulledpork can/will generate the
> sid-msg.map for you... there's also a tool that came with oinkmaster that
> can do
> this but it generates the older format of sid-msg.map...
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> The best possible search technologies are now affordable for all companies.
> Download your FREE open source Enterprise Search Engine today!
> Our experts will assist you in its installation for $59/mo, no commitment.
> Test it for FREE on our Cloud platform anytime!
>
> http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140528/41f30474/attachment.html>


More information about the Snort-users mailing list