Snort mailing list archives
Re: How Can I display the rule name instead of the ID with ACID?
From: "Berta Alcala" <berta83 () gmail com>
Date: Tue, 13 May 2008 11:11:59 +0200
Thank you very much for your reply. As Matt says, what I really want is, how to display the signature description on "sig_name" field instead of the signature ID. I don't use barnyard, nor BASE. So the first thing I'm going to do is installing Base. Do I need to use barnyard? Regards, Berta 2008/5/12 Joel Esler <joel.esler () mac com>:
So, if by displaying just the sig-id in the signature field, instead of the name of the signature, this leads me to believe that you are using barnyard to read unified files and output their contents into the db. What the problem is, is not a problem with base, acid, or even Snort. It's a misconfiguration in Barnyard. You don't have your barnyard reading your correct sid-msg.map file. Joel On May 12, 2008, at 3:31 PM, Rachmat Hidayat Al-Anshar wrote:Yep, for a first step it will be great if you can just use BASE instead. Just hit this following link to download the latest version of BASE:http://optusnet.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gzThere are two column named "signature" and "sig_name" on the "acid_event" table that contain the same value, signature ID (sig_id). In this case, what Berta really want is, how to display the signature description on "sig_name" field (not the signature ID), CMIIW. regard Matt --- Joel Esler <joel.esler () mac com> wrote:First, you should switch to BASE http://base.secureideas.net. ACID has been dead for at least 5 years. Second, do you mean that in the signature name field you have a number, and not the name of the alert? Or are you saying that you want the description of the rule displayed somewhere? Please clarify your statement so that we can make a better helpful suggestion. Joel On May 12, 2008, at 5:04 AM, Berta Alcala wrote:I use snort+acid+mysql. When I display the alertsthere is a"Signature" column that is the signature ID. I need the "sig_name" field (which is the rule'sdescription)instead of the sig_id. The problem is in the"acid_event" table,here there are "signature" and "sig_name", bothwith the same value,the ID. How can I do to get the description? there are alot of files and Idon't know which one I have to modify.-------------------------------------------------------------------------This SF.net email is sponsored by the 2008JavaOne(SM) ConferenceDon't miss this year's exciting event. There'sstill time to save$100. Use priority code J8TL2D2.http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler  joel.esler () mac com  http://blog.joelesler.net [m]-------------------------------------------------------------------------This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2.http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users____________________________________________________________________________________Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler joel.esler () mac com http://blog.joelesler.net [m] ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How Can I display the rule name instead of the ID with ACID? Berta Alcala (May 12)
- Re: How Can I display the rule name instead of the ID with ACID? Joel Esler (May 12)
- Re: How Can I display the rule name instead of the ID with ACID? Rachmat Hidayat Al-Anshar (May 12)
- Re: How Can I display the rule name instead of the ID with ACID? Rachmat Hidayat Al-Anshar (May 12)
- Re: How Can I display the rule name instead of the ID with ACID? Joel Esler (May 12)
- Re: How Can I display the rule name instead of the ID with ACID? Berta Alcala (May 13)
- Re: How Can I display the rule name instead of the ID with ACID? Rachmat Hidayat Al-Anshar (May 13)
- Re: How Can I display the rule name instead of the ID with ACID? Nigel Houghton (May 13)
- Re: How Can I display the rule name instead of the ID with ACID? Joel Esler (May 12)