[Snort-users] How to make snort detect sid-msg.map

wkitty42 at windstream.net wkitty42 at windstream.net
Tue Aug 1 10:07:15 EDT 2017


On 08/01/2017 09:41 AM, neerav arora via Snort-users wrote:
> Hi jesler , could u please elaborate so basically i have a sid-msg.map and
> the corresponding rules file  already avbl , now i want snort alert logs to
> have msg instead of sid .

you cannot... snort doesn't work that way...


> Could u please tell me how i can achieve that ? Is there any change i need to
> do in snort.conf file ?

if you are trying to parse the snort alert logs, you will need to perform the 
lookup of the GID:SID to get the message yourself...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*



More information about the Snort-users mailing list