Snort mailing list archives
Re: Emerging Threats Rules
From: Sethsec <sethsec () gmail com>
Date: Thu, 23 Oct 2008 10:40:23 -0400
On Wed, Oct 22, 2008 at 7:05 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
Hi, I was wondering what the best method of implementing the Emerging Threats rules on a snort machine is? I'm using Snort with MySQL, Barnyard and BASE. I've got my snort machine downloading the Emerging Threats rules everyday, and I just put an include for each ET rule file in the snort.conf file. Is this the best way to handle it?
Yes it is.
Also, I noticed that in BASE, I am not seeing the SID name, and I'm assuming that is because I am not telling the system to look at the ET sid.msg file. What's the best way to deal with that?
Use create-sidmap.pl http://oinkmaster.sourceforge.net/download.shtml Run it after you run oinkmaster, but before you restart snort. Ex: /path/to/create-sidmap.pl /etc/snort/rules/ > /etc/snort/rules/sid-msg.map
Thanks, Shawn
-Seth ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Emerging Threats Rules Jefferson, Shawn (Oct 22)
- Re: Emerging Threats Rules Sethsec (Oct 23)