Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort rule lookup from ACID

From: "Joshua Berry" <jberry () PENSON COM>
Date: Wed, 16 Mar 2005 09:37:04 -0600
Same here, I like to see the rule that fired the alert.  I don't want to
have to SSH to my IDS box to see what it looks like.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jeff Kell
Sent: Wednesday, March 16, 2005 9:17 AM
To: Duran, Randy
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort rule lookup from ACID

Duran, Randy wrote:

I have not seen an answer to this question so I'll post the solution

which I found on the support forum on snort.org for the benefit of those
who haven't looked there yet.


In acid_conf.php change the line that reads:



"snort" => array("http://www.snort.org/snort-db/sid.html?sid=";, ""),



change it to:

"snort" => array("http://www.snort.org/pub-bin/sigs.cgi?sid=";, ""),


On a more general note, does it bother anyone else that the "new" snort 
rule documentation no longer shows the signature?

Often when I get questionable alerts, I want to see what made the rule 
fire.  Surely there has to be a better alternative than grepping the 
rules file on the sensor.  Can't you allow something like the 'oink 
code' logic to let the new HTML page render the rule itself?

Jeff (who got his oink code to work to get rules, now wishing I could
       properly display the docs as before)


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: