Snort mailing list archives
Re: Help with Alerts
From: "Michael Steele" <michaels () winsnort com>
Date: Sun, 9 Sep 2012 20:50:41 -0400
Just talking processing the sig.msg.map; as long as you don't have an active local.rules file, running the stand alone 'create-sidmap.pl' file found in the very latest release of Oinkmaster, will prove to do exactly what PP does, as far as processing the sig.msg.map file? If I could isolate the PP process of updating the sig.msg.map to do it as quickly as the 'create-sidmap.pl' file does (about 2 seconds) I would replace the 'create-sidmap.pl' with PP, and leave it up to the end users to activate the auto rule updating portion. Is there some instructions on processing just the sig.msg.map file using PP? Kindest regards, Michael... -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Sunday, September 09, 2012 5:53 PM To: Michael Steele Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Help with Alerts You can run pulledpork in the configuration to only process already downloaded rules, yes. But there are other benefits to pulledpork that outweigh the effort, IMHO. -- Joel Esler On Sep 9, 2012, at 5:43 PM, "Michael Steele" <michaels () winsnort com> wrote:
Joel, When you say 'will include the SIDS from your local ruleset', you are referring to the local.rules file, correct? If that's the case; as long as there is no local.rules file, oinkmasters stand alone sid.msg.map utility should work fine. For my applications PP is a little messy to implament. I'd like to see a basic default run of that adds all the stock rulesets based on the stock snort.conf. The basic default should be exactly like manually adding a new rule set. Is it possible to use PP to only process the sid.msg.map? Kindest regards, Michael... -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Sunday, September 09, 2012 4:26 PM To: wkitty42 () windstream net Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Help with Alerts On Sep 9, 2012, at 12:00 PM, waldo kitty <wkitty42 () windstream net> wrote:On 9/9/2012 09:09, James Lay wrote:On Sep 8, 2012, at 6:31 PM, waldo kitty<wkitty42 () windstream net> wrote:On 9/8/2012 07:53, Joel Esler wrote:If you are using pulledpork, it should generate your Sid-MSG.map for you. Are you using pulledpork?and if you are not using pulledpork, there is a tool in the utilities area for this... at least there was in the older versions of snort... i guess it is still there? create-sidmap.pl /path/to/rules> /path/to/sidmap/sid-msg.mapActually I think that's part of oinkmaster :)it might be... i dunno... i've seen it as a separate tool in severalplaces...gotta dance a little dance if one has more than one rule directory,though... It is part of oinkmaster. As someone said earlier in the thread, you need to be using pulledpork to generate the Sid-MSG.map because that will include the SIDS from you local ruleset. Very important. ---------------------------------------------------------------------- ------ -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
---------------------------------------------------------------------------- -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Help with Alerts Pratik Narang (Sep 08)
- Re: Help with Alerts Joel Esler (Sep 08)
- Re: Help with Alerts waldo kitty (Sep 08)
- Re: Help with Alerts James Lay (Sep 09)
- Re: Help with Alerts waldo kitty (Sep 09)
- Re: Help with Alerts Joel Esler (Sep 09)
- Re: Help with Alerts Michael Steele (Sep 09)
- Re: Help with Alerts Joel Esler (Sep 09)
- Re: Help with Alerts Michael Steele (Sep 09)
- Re: Help with Alerts Joel Esler (Sep 09)
- Re: Help with Alerts waldo kitty (Sep 08)
- Re: Help with Alerts Joel Esler (Sep 08)
- Message not available
- Message not available
- Help with Alerts Pratik Narang (Sep 09)
- Re: Help with Alerts waldo kitty (Sep 09)
- <Possible follow-ups>
- Fwd: Help with Alerts Joel Esler (Sep 10)