Unified output and multiple .map's.

[Chris Keladis <chris () cmc optus net au>]

Hi all,

I was wondering how people using the unified output, the official Snort 
rules and the bleeding rules are handling their .map files?

It seems it's a bit of a catch-22.

If you have multiple .map's, say, in their respective rule subdir, the 
spool pre-processor (Mudpit in this case) does not seem to like multiple 
.map files. In fact it defines them in the global {} section of the config.

Looking at Barnyard, it takes .map's on the command line and it seems to 
accept one set (gen, sid) per instance.

Concatenating the .map's into one big one works okay, but causes 
Oinkmaster confusion, when parsing the official rules it sees and 
removes the bleeding sid-msg.map entry's, and vice-versa.

It requires the extra step of re-creating the sid-msg.map file after 
both sets of rules have been applied via Oinkmaster.

The obvious solution to this is to have the unified pre-processors 
accept multiple .map files from different rule-sets.

Or is there another way to organize the rules whilst keeping Snort, the 
unified log pre-processor, and Oinkmaster happy?




Thanks,

Chris.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users