[Snort-users] Generator ID map file location changed ?
research at ...17107...
Sun Mar 1 14:04:18 EST 2015
Ah, I see. Ok, that makes sense.
On Mar 1, 2015, at 1:54 PM, Y M <snort at ...15979...> wrote:
> > From: research at ...17107...
> > Date: Fri, 27 Feb 2015 15:58:42 -0500
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Generator ID map file location changed ?
> > Hello,
> > On page 12 of the PDF format of the “Snort 2.9.7 Manual) , it notes that the mapping for GID’s (Generator ID’s), can be found in:
> > "For a list of GIDs, please read etc/generators in the Snort source. In this case, we know that this event came from the “decode” (116) component of Snort.”
> > >From the source tar ball, I can see the etc subdirectory:
> > ~/snort_src/snort-184.108.40.206/etc
> > In there I can see “gen-map.msg”:
> > -rw-r--r-- 1 user user 31K Sep 16 14:24 gen-msg.map
> > Inside this file I can see a mapping to “decode” for GID 116 (as referenced in the first quote from the manual), so is this the file that the GID mappings are in now, *NOT* generators, or am I still looking in the wrong place ?
> # In general, the generators.h is the header defining the GID and SID of Snort components. Each component (GID) is capable of generating various outputs (SID). I would use the gen-msg.map to lookup mappings
> >If so, am I correct interpreting that a GID of 1 means the generator was “snort general rule” which matches up to a custom rule I wrote ?
> # GID 1 refers to textual rules, including the rules that ship from VRT and your custom textual rules.
> > Thanks
> >  See: https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/051/original/snort_manual.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1425073972&Signature=9uEeOQH3nRJTwXr6c7XxK%2F%2FWqAU%3D
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users