Re: sid-msg.map incomplete again

[Nigel Houghton <nhoughton () sourcefire com>]

On Tue, 25 Jan 2011 14:30:44 -0500, Lawrence R. Hughes, Sr. wrote:
> Nigel,
>
> That's great if you use pulledpork, we do not.
> PulledPork was not a requirement for snort to work correctly.
>
> Thanks,
> Larry
>
> ----- Original Message ----- From: "Nigel Houghton" 
> <nhoughton () sourcefire com>
> To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
> Cc: <snort-users () lists sourceforge net>
> Sent: Tuesday, January 25, 2011 12:07 PM
> Subject: Re: [Snort-users] sid-msg.map incomplete again
>
>
> > On Tue, 25 Jan 2011 11:32:08 -0500, Lawrence R. Hughes, Sr. wrote:
> > > Hi,
> > >
> > > How come VRT continues to release new rules, but does not update the
> > > sid-msg.map file?
> > > Just downloaded the latest VRT rules with 4 new rules and the
> > > following sids were missing from the sid-msg.map file for these rules:
> > >
> > >
> > > 18206 || NETBIOS Windows Address Book wab32res.dll malicious DLL load
> > > 18209 || NETBIOS Windows 7 Home peerdist.dll dll-load exploit attempt
> > > 18211 || NETBIOS Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt
> > > 18278 || NETBIOS Vista Backup Tool fveapi.dll dll-load exploit attempt
> > > We added the above by hand...
> >
> > Pulledpork[0] will take care of your sid-msg.map. That way you can
> > include all the rules you use, not just the VRT ones and you also get
> > to include the local rules you have written for your environment too.
> >
> > [0] - http://code.google.com/p/pulledpork/
> >
> > --
> > Nigel Houghton
> > Head Mentalist
> > SF VRT Department of Intelligence Excellence
> > http://vrt-blog.snort.org/ && http://labs.snort.org/

Just for everyone's clarification here, Snort does not need the 
sid-msg.map, you only need that for your event data in your database if 
you use BASE or similar. Barnyard uses it.

We suggest that folks use PulledPork to manage their rules and their 
sid-msg.map etc... and that you output to a unified file from Snort and 
use Barnyard to process that file to put the event data into a database 
or whatever.

If you don't want to use PulledPork, it is pretty easy to write a 
script (in whatever language you like) that processes the rules files 
to produce a sid-msg.map.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users