Re: Updating sid-msg.map

[Joel Esler <jesler () sourcefire com>]

The sid-msg.map file essentially maps the Rule MSG alert name to the sid
number assigned to the rule.

This really comes into play when you your output method from Snort is
unified or unified2, and you are taking that output and reading it with
another tool (like barnyard2) for input into the database.

Since the rule msg is not stored in the unified or unified2 file format,
it's necessary for the output tool (barnyard2) to read the sid-msg.map file
to correctly input the names of the alerts into the db when associated with
an alert by sid.

Without this file being read by barnyard2, the alerts in the database will
show up only as gid:sid. (1:2133 for example).

If your output method from Snort is direct to database via the mysql option,
you will not need the sid-msg.map file, however, this output method is not
recommended.

J

On Mon, Nov 15, 2010 at 10:35 PM, Chan, Wilson <wchan () honolulu gov> wrote:

>  First off what is the sid-msg.map used for? I looked in my oinkmaster
> config docs and they recommend to update the sourcefire and emerging threats
> rule via the create-sidmap.pl script.
>
> Since I have oinkmaster dumping ET and sourcefire rules to /etc/snort/rules
> do I just run the perl script like this?
>
>
>
> ===============================================
>
> Create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map
>
> ===============================================
>
>
>
> I’ve also googled and found this as another alternative.
>
>
>
>
> =========================================================================================================================
>
> Cron script to refresh sid-msg.map otherwise you will get unidentified
> alerts:
>
>
>
> #!/bin/sh
>
> /usr/local/bin/oinkmaster -o /usr/local/etc/snort/rules/emerging-threads -C
> /usr/local/etc/oinkmaster.emerging.conf
>
> /bin/rm /usr/local/etc/snort/sid-msg.map
>
> /bin/cat /usr/local/etc/snort/sid-msg.map-sample
> /usr/local/etc/snort/rules/emerging-threads/emerging-sid-msg.map >
> /usr/local/etc/snort/sid-msg.map
>
> /usr/local/etc/rc.d/snort restart
>
>
> ==========================================================================================================================
>
>
>
> *Wilson *
>
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Joel Esler
302-223-5974

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users