Snort mailing list archives
Re: Updating sid-msg.map
From: Y M <snort () outlook com>
Date: Tue, 16 Apr 2013 19:19:26 +0000
Are they showing generic in the GUI you use? If so, then you have to update the database as well from the generic "Snort Alert" message to the actual message in your rule.Date: Tue, 16 Apr 2013 15:13:27 -0400 Subject: Re: [Snort-users] Updating sid-msg.map From: tammi888 () gmail com To: snort () outlook com Thanks YM. So I went to manually add my new local rules to the sid-msg.map and they are already there (I have pulledpork setup as you do already) but alerts that are triggered for those rules are still generic. Any ideas? On Tue, Apr 16, 2013 at 2:45 PM, Y M <snort () outlook com> wrote: The reason they show up as a generic "Snort Alert" is because barnyard did not find an entry for the rule in the sid-msg.map. The way I do it to fix existing rules, I add the entry for the rule manually to the sid-msg.map (following the same format), and for the database entries, run the following sql command against Snort database to select the generic "Snort Alert": SELECT sig_name FROM signature WHERE sig_sid=<generic_rule_sid> This will return the rule, then you can either edit it manually or issue and update command. I follow the same procedure when I create new rules, but since they I added them to the sid-msg.map first, barnyard picks up the entry from there and inserts the correct value into the database. Also my pulledpork has the path to my local rules file setup to it picks my rules the next time I run pulledpork and adds them to the update sid-msg.map Date: Tue, 16 Apr 2013 14:13:16 -0400 From: tammi888 () gmail com To: snort-users () lists sourceforge net Subject: [Snort-users] Updating sid-msg.map Hi. I'm having issues when I am creating new local rules where rules show up with generic name 'Snort Alert' instead of what is in the msg field. Google tells me that barnyard2 is able to translate the msg field from sid-msg.map but I also read that running pulled pork should update that file. My rules are still the same though after running pulledpork. Do I need to update this manually? How do I fix it? ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Updating sid-msg.map Tamara Fisher (Apr 16)
- Re: Updating sid-msg.map Y M (Apr 16)
- Message not available
- Re: Updating sid-msg.map Y M (Apr 16)
- Message not available
- Re: Updating sid-msg.map Y M (Apr 16)
- <Possible follow-ups>
- Re: Updating sid-msg.map Y M (Apr 17)
- Re: Updating sid-msg.map Tamara Fisher (Apr 17)