Snort mailing list archives

RE: Bleedingsnort: Classification & Reference URL

From: "McCash, John" <John.McCash () andrew com>
Date: Wed, 20 Oct 2004 14:16:08 -0500

Joel,
        Wow! Cool! Why the ^$%&%6 didn't I ever think to do that? The same thing works for the nessus references, with 
the new line being:

"nessus"    => array("http://cgi.nessus.org/plugins/dump.php3?id=";, ""),

However I do note one oddity... There are certain alerts that still don't come up. For example I'm looking at a 
'BLEEDING-EDGE IE homepage hijacking' alert from the day before yesterday, and it still has 'url' with no link in the 
ACID interface. Most others are OK, but there seem to be a few exceptions. Looking at the rules, they seem to be 
formatted OK. Any ideas?
                John


-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Esler, Joel - Contractor
Sent: Wednesday, October 13, 2004 8:16 AM
To: Archibald, B. Jay @ CSW-SLC; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Bleedingsnort: Classification & Reference URL

I am assuming you are referring to ACID in this instance? The url thing
is easy..  While Snort added the "url" feature to allow ANY Url to be
used as a reference, ACID wasn't updated to follow suit...

In your acid_conf.php there is a section entitled "Signature
references"..

You will see arrays for bugtraq, snort, cve, arachnids... And the like,
however, if you come down to your final line, change the ";" to a ","
then add the following line:

"url"       => array("http://";, ""));

Underneath it will make the "url" part look right...

As far as classification goes, you have to compare classification.config
with the classification that is in the rule itself, it will classify the
rule if your rule has the "classtype:" modifier in it.

Joel Esler, GCIA




-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Archibald,
B. Jay @ CSW-SLC
Sent: Tuesday, October 12, 2004 3:44 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Bleedingsnort: Classification & Reference URL


I have added signatures from bleedingsnort.com.  I have noticed that all
the alerts are being listed under the "unclassified" classification and
the URL reference links are displayed as "URL" without a link.

Could someone explain what I need to do to add the bleedingsnort
classifications and get the reference links to work.

Thanks,

Jay Archibald


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give
us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find
out more http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listžort-users

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Bleedingsnort: Classification & Reference URL Archibald, B. Jay @ CSW-SLC (Oct 12)
- Re: Bleedingsnort: Classification & Reference URL Alex Butcher, ISC/ISYS (Oct 13)
- <Possible follow-ups>
- RE: Bleedingsnort: Classification & Reference URL Esler, Joel - Contractor (Oct 13)
- RE: Bleedingsnort: Classification & Reference URL McCash, John (Oct 20)