Snort mailing list archives
Re: sid-msg.map incomplete again
From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Tue, 25 Jan 2011 15:39:03 -0500
On Tue, Jan 25, 2011 at 03:28:38PM -0500, Nigel Houghton wrote:
On Tue, 25 Jan 2011 14:30:44 -0500, Lawrence R. Hughes, Sr. wrote:Nigel, That's great if you use pulledpork, we do not. PulledPork was not a requirement for snort to work correctly.
Just for everyone's clarification here, Snort does not need the sid-msg.map, you only need that for your event data in your database if you use BASE or similar. Barnyard uses it. We suggest that folks use PulledPork to manage their rules and their sid-msg.map etc... and that you output to a unified file from Snort and use Barnyard to process that file to put the event data into a database or whatever. If you don't want to use PulledPork, it is pretty easy to write a script (in whatever language you like) that processes the rules files to produce a sid-msg.map.
Oinkmaster has a perl routine called "create-sidmap.pl" I believe. -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL.
Attachment:
_bin
Description:
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sid-msg.map incomplete again Lawrence R. Hughes, Sr. (Jan 25)
- Re: sid-msg.map incomplete again Nigel Houghton (Jan 25)
- Re: sid-msg.map incomplete again Lawrence R. Hughes, Sr. (Jan 25)
- Re: sid-msg.map incomplete again Nigel Houghton (Jan 25)
- Re: sid-msg.map incomplete again Champ Clark III [Softwink] (Jan 25)
- Re: sid-msg.map incomplete again Paul Halliday (Jan 25)
- Re: sid-msg.map incomplete again waldo kitty (Jan 25)
- Re: sid-msg.map incomplete again Nigel Houghton (Jan 25)
- Re: sid-msg.map incomplete again Lawrence R. Hughes, Sr. (Jan 25)
- Re: sid-msg.map incomplete again Nigel Houghton (Jan 25)