Snort mailing list archives
Re: Snort Alert [1:xx] - sid-msg.map looks correct
From: Y M <snort () outlook com>
Date: Wed, 16 Jul 2014 18:31:56 +0000
Since the signature is in the database already, you may need to update the record with the appropriate alert message. Assuming that Snorby uses the "event" table to store/retrieve alert data: First, very that you are getting the right record for that particular rule (after you connect to the database): SELECT * FROM event WHERE signature_id=1000156; If it is the one you are looking for, then issue an update: UPDATE event SET signature="American Express card number detected in clear text" WHERE signature_id=1000156; Finally, if you are using specific policy with PulledPork, I would recommend that you add a metadata to your signature specifying the policy you are after. For example: "metadata: policy balanced-ips drop;" for a balanced policy. YM Date: Wed, 16 Jul 2014 13:21:31 -0400 From: rehnquyst () gmail com To: snort-users () lists sourceforge net Subject: [Snort-users] Snort Alert [1:xx] - sid-msg.map looks correct Hi, I've added some custom rules I grabbed from SANS, and changed them a little bit to look like this: alert tcp any any <> any any (msg:"American Express card number detected in clear text";pcre:"/3\d{3}(\s|-)?\d{6}(\s|-)?\d{5}/";content:"amex";nocase;sid:1000156;rev:1;) Pulledpork update seems to have generated the sid-msg.map correctly, because this alert does show up in the file: 1000156 || American Express card number detected in clear text However, in my frontend, Snorby, the alerts are showing up "Snort Alert [1:1000156:1], which from my research seem to indicate that it's because either sid-msg.map isn't update (which it is), or barnyard2 wasn't restarted. I've rebooted the server, so barnyard2 should have restarted correctly. Was there something I missed? Thanks!Rehn ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Alert [1:xx] - sid-msg.map looks correct William Rehnquyst (Jul 16)
- Re: Snort Alert [1:xx] - sid-msg.map looks correct Joel Esler (jesler) (Jul 16)
- Re: Snort Alert [1:xx] - sid-msg.map looks correct Y M (Jul 16)