[Snort-users] Generator ID map file location changed ?

Y M snort at ...15979...
Sun Mar 1 13:54:53 EST 2015



> From: research at ...17107...
> Date: Fri, 27 Feb 2015 15:58:42 -0500
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Generator ID map file location changed ?
> 
> Hello,
> 
> On page 12 of the PDF format of the “Snort 2.9.7 Manual) [1], it notes that the mapping for GID’s (Generator ID’s), can be found in:
> 
> 	"For a list of GIDs, please read etc/generators in the Snort source. In this case, we know that this event came from the “decode” (116) component of Snort.”
> 
> >From the source tar ball, I can see the etc subdirectory:
> 
> 	~/snort_src/snort-2.9.7.0/etc
> 
> In there I can see “gen-map.msg”:
> 
> 	-rw-r--r--  1 user user  31K Sep 16 14:24 gen-msg.map
> 
> Inside this file I can see a mapping to “decode” for GID 116 (as referenced in the first quote from the manual), so is this the file that the GID mappings are in now, *NOT* generators, or am I still looking in the wrong place ? 
  # In general, the generators.h is the header defining the GID and SID of Snort components. Each component (GID) is capable of generating various outputs (SID). I would use the gen-msg.map to lookup mappings
>If so, am I correct interpreting that a GID of 1 means the generator was “snort general rule” which matches up to a custom rule I wrote ?
# GID 1 refers to textual rules, including the rules that ship from VRT and your custom textual rules.
> 
> Thanks
> 
> [1] See: https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/051/original/snort_manual.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1425073972&Signature=9uEeOQH3nRJTwXr6c7XxK%2F%2FWqAU%3D
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150301/73477cbb/attachment.html>


More information about the Snort-users mailing list