Snort mailing list archives
Re: Linking rules in BASE
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 24 Aug 2010 10:15:29 -0600
BASE has a link that you can see the actual rule text (from the rule file downloaded), if you put it in a specific directory and enable the option. It just greps the rule text out of the file. It's very useful sometimes to see exactly why a rule fired off on the traffic. ________________________________ From: JJC [mailto:cummingsj () gmail com] Sent: Tuesday, August 24, 2010 9:00 AM To: Jefferson, Shawn Cc: Kun, Mike; snort-users () lists sourceforge net Subject: Re: [Snort-users] Linking rules in BASE Looks like I'll have to setup BASE to see exactly what you are talking about here... I suspect it's the rules .txt files that contain the rule documentation that BASE is looking for, but I'm not exactly sure since I don't use BASE.. do you have a screenshot/pastebin or something that I can have a quick look at.. On Tue, Aug 24, 2010 at 9:47 AM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: Hi, I am copying the snort.rules and emerging.rules files, yes. Is the rule sid that you are trying to lookup even in that directory? Also, check the permissions/ownership on the file, that may also be an issue (I think I had that issue when I first set this up.) -----Original Message----- From: Kun, Mike [mailto:mkun () akamai com<mailto:mkun () akamai com>] Sent: Tuesday, August 24, 2010 8:43 AM To: Jefferson, Shawn; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: RE: Linking rules in BASE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are you copying the snort.rules file? I tried that on my install, but I'm still getting the same errer. It looks to me like BASE can't query the snort.rules file correctly - -Mike
-----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>] Sent: Tuesday, August 24, 2010 11:39 AM To: Kun, Mike; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: RE: Linking rules in BASE Hi, I have a cron job that copies the text rule files from the location pulledpork puts them into the base www directory. Seems to work for me. -----Original Message----- From: Kun, Mike [mailto:mkun () akamai com<mailto:mkun () akamai com>] Sent: Tuesday, August 24, 2010 8:13 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] Linking rules in BASE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there a way to get the "rule" links working when using pulledpork to pull in a snort.rules file? When I symlink BASE to the file I get " ERROR: Could not find "sig:XXXXX;" in directory "rules/"." In that directory is the snort.rules file the pulledpork created. Any advice? - -Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with OutlookGnuPG v1.2.3667 iQEcBAEBAgAGBQJMc+FuAAoJEMhWEt1OJPG/OBAIAKaIHlg4t9rp66DQ/3bz5Wz9 tAmdHku8qcRFNkzUPGHs8xBZRpHYdsMM8Rlo6byjJjQXQEMN8URroGRKjaatRoF3 wSIfmWSJfCgSH9bap53qRGJmXmKjNX1Qm3EPiL5ixrEjiFcucdJ3FcD5HU0EZcOB vxjWUDxBtqCyLMXGy2v2rH3WYqX5E6ktCyZvC8tj8vDrWLjxO4hBmsOm7SPbdKxr hUql6VyMC8uRQ468N4Ji0HMBq0njHK8Z540wkGyjMN+HuBvK7Jh0te+YbtCVepPS Hd4thQXKSfD72tsUL7UJ9RIBSARpu2BOxRE/ca8TiLgGMslslqCaruKDVv7yyOc= =NBBe -----END PGP SIGNATURE----- ---------------------------------------------------------------------- - ------- Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with OutlookGnuPG v1.2.3667 iQEcBAEBAgAGBQJMc+iUAAoJEMhWEt1OJPG/yTMIANz2mF+Fag/ArWlD4SZUWfrd A0AynLSC3JRCeEHhaJQKV5W1eWsvI+tqxLAcU9BDRzgwCtb4Ru2zYfds4QNnNwK/ pj+h6Xp0LMF/1qp9fQrUZK22qrtwghY1/V87hT+DojilJJhCOJrzUYbjsU9KxKAy I9K8blvZng7rCZRQduqugft3Tp6ASEbylKOgxqHT6eKF1JcWutys8HIlPm9T7X2r SccRsi7WkVmxJPpwBuIYA3CfN6pakZ1vkAXX2rg/6BMFUm9NfQfPg+X1Wo3edprr 8qfLaic/yc9rAx87oCLvJv8tPgeVbd1i+W0cGQVg4DaBi/DHI0o+/1+CsC5wit4= =NZGf -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linking rules in BASE Kun, Mike (Aug 24)
- Re: Linking rules in BASE Jefferson, Shawn (Aug 24)
- Re: Linking rules in BASE Kun, Mike (Aug 24)
- Re: Linking rules in BASE Jefferson, Shawn (Aug 24)
- Re: Linking rules in BASE JJC (Aug 24)
- Re: Linking rules in BASE Jefferson, Shawn (Aug 24)
- Re: Linking rules in BASE Kun, Mike (Aug 24)
- Re: Linking rules in BASE Kun, Mike (Aug 24)
- Re: Linking rules in BASE Paul Schmehl (Aug 24)
- Re: Linking rules in BASE Billy Marshall (Aug 24)
- Re: Linking rules in BASE waldo kitty (Aug 24)
- Re: Linking rules in BASE Nigel Houghton (Aug 24)
- Re: Linking rules in BASE waldo kitty (Aug 24)
- Re: Linking rules in BASE Nigel Houghton (Aug 25)
- Re: Linking rules in BASE Jefferson, Shawn (Aug 24)