Snort mailing list archives
RE: Bleedingsnort: Classification & Reference URL
From: "McCash, John" <John.McCash () andrew com>
Date: Wed, 20 Oct 2004 14:16:08 -0500
Joel, Wow! Cool! Why the ^$%&%6 didn't I ever think to do that? The same thing works for the nessus references, with the new line being: "nessus" => array("http://cgi.nessus.org/plugins/dump.php3?id=", ""), However I do note one oddity... There are certain alerts that still don't come up. For example I'm looking at a 'BLEEDING-EDGE IE homepage hijacking' alert from the day before yesterday, and it still has 'url' with no link in the ACID interface. Most others are OK, but there seem to be a few exceptions. Looking at the rules, they seem to be formatted OK. Any ideas? John -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Esler, Joel - Contractor Sent: Wednesday, October 13, 2004 8:16 AM To: Archibald, B. Jay @ CSW-SLC; snort-users () lists sourceforge net Subject: RE: [Snort-users] Bleedingsnort: Classification & Reference URL I am assuming you are referring to ACID in this instance? The url thing is easy.. While Snort added the "url" feature to allow ANY Url to be used as a reference, ACID wasn't updated to follow suit... In your acid_conf.php there is a section entitled "Signature references".. You will see arrays for bugtraq, snort, cve, arachnids... And the like, however, if you come down to your final line, change the ";" to a "," then add the following line: "url" => array("http://", "")); Underneath it will make the "url" part look right... As far as classification goes, you have to compare classification.config with the classification that is in the rule itself, it will classify the rule if your rule has the "classtype:" modifier in it. Joel Esler, GCIA -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Archibald, B. Jay @ CSW-SLC Sent: Tuesday, October 12, 2004 3:44 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Bleedingsnort: Classification & Reference URL I have added signatures from bleedingsnort.com. I have noticed that all the alerts are being listed under the "unclassified" classification and the URL reference links are displayed as "URL" without a link. Could someone explain what I need to do to add the bleedingsnort classifications and get the reference links to work. Thanks, Jay Archibald ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listžort-users ------------------------------------------------------------------------------------------------ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. ------------------------------------------------------------------------------------------------ [mf2] ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bleedingsnort: Classification & Reference URL Archibald, B. Jay @ CSW-SLC (Oct 12)
- Re: Bleedingsnort: Classification & Reference URL Alex Butcher, ISC/ISYS (Oct 13)
- <Possible follow-ups>
- RE: Bleedingsnort: Classification & Reference URL Esler, Joel - Contractor (Oct 13)
- RE: Bleedingsnort: Classification & Reference URL McCash, John (Oct 20)