Re: Unified output and multiple .map's.

[Andreas Östling <andreaso () it su se>]

> Hi all,
>
> I was wondering how people using the unified output, the official Snort rules 
> and the bleeding rules are handling their .map files?

> It requires the extra step of re-creating the sid-msg.map file after both 
> sets of rules have been applied via Oinkmaster.
...

I'm sure there are several ways to do this but as seen in 
http://cvs.sourceforge.net/viewcvs.py/oinkmaster/oinkmaster/FAQ?view=markup
under "Q26: How do I keep my sid-msg.map up-to-date?", I 
personally prefer to use create-sidmap.pl to generate the map myself. I 
would probably do so even if all the tools could handle multiple .map 
files. A few reasons:

- I don't want to assume that the included sid-msg.map files in all 
rules archives are updated correctly

- I have local rules and must generate a sid map anyway

- By running create-sidmap.pl you automatically get a sid dup check 
across all the rules, including local ones. Concatenating several 
sid-msg.map files without some basic sanity check could be bad.

- Generating a new map is a simple as running create-sidmap.pl and point 
to all rules directories. Just make sure it's run after each rules 
update and you'll never have to care about it again.

/Andreas


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users