Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How Can I display the rule name instead of the ID with ACID?

From: "Berta Alcala" <berta83 () gmail com>
Date: Tue, 13 May 2008 11:11:59 +0200
Thank you very much for your reply.
As Matt says, what I really want is, how to display the signature
description on "sig_name" field instead of the signature ID.
I don't use barnyard, nor BASE. So the first thing I'm going to do is
installing Base. Do I need to use barnyard?

Regards,
Berta

2008/5/12 Joel Esler <joel.esler () mac com>:


So, if by displaying just the sig-id in the signature field, instead
of the name of the signature, this leads me to believe that you are
using barnyard to read unified files and output their contents into
the db.

What the problem is, is not a problem with base, acid, or even Snort.
It's a misconfiguration in Barnyard.  You don't have your barnyard
reading your correct sid-msg.map file.

Joel

On May 12, 2008, at 3:31 PM, Rachmat Hidayat Al-Anshar wrote:


Yep, for a first step it will be great if you can
just use BASE instead. Just hit this following link
to download the latest version of BASE:


http://optusnet.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gz


There are two column named "signature" and "sig_name"
on the "acid_event" table that contain the same value,

signature ID (sig_id).

In this case, what Berta really want is, how to
display
the signature description on "sig_name" field (not the

signature ID), CMIIW.

regard
Matt




--- Joel Esler <joel.esler () mac com> wrote:


First, you should switch to BASE
http://base.secureideas.net.  ACID
has been dead for at least 5 years.

Second, do you mean that in the signature name field
you have a
number, and not the name of the alert?  Or are you
saying that you
want the description of the rule displayed
somewhere?

Please clarify your statement so that we can make a
better helpful
suggestion.

Joel

On May 12, 2008, at 5:04 AM, Berta Alcala wrote:


I use snort+acid+mysql. When I display the alerts

there is a

"Signature" column that is the signature ID.
I need the "sig_name" field (which is the rule's

description)

instead of the sig_id. The problem is in the

"acid_event" table,

here there are "signature" and "sig_name", both

with the same value,

the ID.
How can I do to get the description? there are a

lot of files and I

don't know which one I have to modify.




-------------------------------------------------------------------------

This SF.net email is sponsored by the 2008

JavaOne(SM) Conference

Don't miss this year's exciting event. There's

still time to save

$100.
Use priority code J8TL2D2.






http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:





https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:




http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler
  joel.esler () mac com
  http://blog.joelesler.net
[m]






-------------------------------------------------------------------------

This SF.net email is sponsored by the 2008
JavaOne(SM) Conference
Don't miss this year's exciting event. There's still
time to save $100.
Use priority code J8TL2D2.




http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users






____________________________________________________________________________________

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.

http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler
  joel.esler () mac com
  http://blog.joelesler.net
[m]




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: