Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sid-msg maps and dynamic rules

From: Seth Art <sethsec () gmail com>
Date: Fri, 31 Jul 2009 16:55:43 -0400

Is it expected that these be added to the gen-msg.map?

If so it is a bit painful -- the sidmsg.map can be created from
scratch from the rule files but the gen-msg.map has a whole lot of
static stuff and one therefore needs to append to the original.


Just keep a copy of the stock gen-msg.map handy and do something like
this in your upgrade script:

--start--

cat /etc/snort/gen-msg.map.orig > /etc/snort/gen-msg.map

create_sidmap.pl /etc/snort/rules/so_rules/stubs/ | sed -e 's/^/3 ||
/g' | cut -f1-5 -d\| >> /etc/snort/gen-msg.map

--end--

The first line replaces the previous updates gen-msg.map with the
stock one.   The second line appends the new GID 3 mappings to the
stock file.

This way you will always have the stock mappings as well as ALL of the
GID 3 mappings, with no duplicates.

The sed part appends the GEN ID and 2 pipes to the beginning of every line.
The cut part removes everything else after the signature name (the
url, the cve, etc) from each line.

Hope this helps!

-Seth




Is there a way of having this in a separate file?

Russell


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: