Snort mailing list archives
Re: sid-msg maps and dynamic rules
From: Seth Art <sethsec () gmail com>
Date: Fri, 31 Jul 2009 16:55:43 -0400
Is it expected that these be added to the gen-msg.map? If so it is a bit painful -- the sidmsg.map can be created from scratch from the rule files but the gen-msg.map has a whole lot of static stuff and one therefore needs to append to the original.
Just keep a copy of the stock gen-msg.map handy and do something like this in your upgrade script: --start-- cat /etc/snort/gen-msg.map.orig > /etc/snort/gen-msg.map create_sidmap.pl /etc/snort/rules/so_rules/stubs/ | sed -e 's/^/3 || /g' | cut -f1-5 -d\| >> /etc/snort/gen-msg.map --end-- The first line replaces the previous updates gen-msg.map with the stock one. The second line appends the new GID 3 mappings to the stock file. This way you will always have the stock mappings as well as ALL of the GID 3 mappings, with no duplicates. The sed part appends the GEN ID and 2 pipes to the beginning of every line. The cut part removes everything else after the signature name (the url, the cve, etc) from each line. Hope this helps! -Seth
Is there a way of having this in a separate file? Russell ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sid-msg maps and dynamic rules Russell Fulton (Jul 28)
- Re: sid-msg maps and dynamic rules firnsy (Jul 30)
- Re: sid-msg maps and dynamic rules Seth Art (Jul 31)