Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How Can I display the rule name instead of the ID with ACID?

From: Rachmat Hidayat Al-Anshar <rachmat_hidayat_02 () yahoo com>
Date: Tue, 13 May 2008 04:45:11 -0700 (PDT)

--- Berta Alcala <berta83 () gmail com> wrote:


I don't use barnyard, nor BASE. So the first thing
I'm going to do is installing Base. Do I need to use



barnyard?


It's getting more better if you using Barnyard to 
processing the unified file format produced by Snort. 

Snort's performance will increasing greatly because
Snort didn't need more effort to processing its output
directly to database. Let Barnyard take that job ;)
Snort will be more focused to monitoring the traffic.

And with BASE you will get more advantage instead 
still using an old fashion Acid ;)

Happy snorting B-)
Matt






2008/5/12 Joel Esler <joel.esler () mac com>:


So, if by displaying just the sig-id in the

signature field, instead

of the name of the signature, this leads me to

believe that you are

using barnyard to read unified files and output

their contents into

the db.

What the problem is, is not a problem with base,

acid, or even Snort.

It's a misconfiguration in Barnyard.  You don't

have your barnyard

reading your correct sid-msg.map file.

Joel

On May 12, 2008, at 3:31 PM, Rachmat Hidayat

Al-Anshar wrote:



Yep, for a first step it will be great if you

can

just use BASE instead. Just hit this following

link

to download the latest version of BASE:






http://optusnet.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gz


There are two column named "signature" and

"sig_name"

on the "acid_event" table that contain the same

value,


signature ID (sig_id).

In this case, what Berta really want is, how to
display
the signature description on "sig_name" field

(not the


signature ID), CMIIW.

regard
Matt




--- Joel Esler <joel.esler () mac com> wrote:


First, you should switch to BASE
http://base.secureideas.net.  ACID
has been dead for at least 5 years.

Second, do you mean that in the signature name

field

you have a
number, and not the name of the alert?  Or are

you

saying that you
want the description of the rule displayed
somewhere?

Please clarify your statement so that we can

make a

better helpful
suggestion.

Joel

On May 12, 2008, at 5:04 AM, Berta Alcala

wrote:



I use snort+acid+mysql. When I display the

alerts

there is a

"Signature" column that is the signature ID.
I need the "sig_name" field (which is the

rule's

description)

instead of the sig_id. The problem is in the

"acid_event" table,

here there are "signature" and "sig_name",

both

with the same value,

the ID.
How can I do to get the description? there are

a

lot of files and I

don't know which one I have to modify.








-------------------------------------------------------------------------

This SF.net email is sponsored by the 2008

JavaOne(SM) Conference

Don't miss this year's exciting event. There's

still time to save

$100.
Use priority code J8TL2D2.










http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:









https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:








http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler
  joel.esler () mac com
  http://blog.joelesler.net
[m]










-------------------------------------------------------------------------

This SF.net email is sponsored by the 2008
JavaOne(SM) Conference
Don't miss this year's exciting event. There's

still

time to save $100.
Use priority code J8TL2D2.








http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:






https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:






http://www.geocrawler.com/redir-sf.php3?list=snort-users











____________________________________________________________________________________

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.





http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ






-------------------------------------------------------------------------

This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio

2008.





http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:





https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:




http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler



=== message truncated ===



      

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: