Re: Help with Alerts

[Joel Esler <jesler () sourcefire com>]

I would put in a feature request on the pulledpork website for that functionality. I know JJ wants to get out a new 
release, so try and get it in quick!

--
Joel Esler
Sent from my iPad 

On Sep 9, 2012, at 8:50 PM, "Michael Steele" <michaels () winsnort com> wrote:

> Just talking processing the sig.msg.map; as long as you don't have an active
> local.rules file, running the stand alone 'create-sidmap.pl' file found in
> the very latest release of Oinkmaster, will prove to do exactly what PP
> does, as far as processing the sig.msg.map file?
>
> If I could isolate the PP process of updating the sig.msg.map to do it as
> quickly as the 'create-sidmap.pl' file does (about 2 seconds) I would
> replace the 'create-sidmap.pl' with PP, and leave it up to the end users to
> activate the auto rule updating portion.
>
> Is there some instructions on processing just the sig.msg.map file using PP?
>
> Kindest regards,
> Michael...
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com] 
> Sent: Sunday, September 09, 2012 5:53 PM
> To: Michael Steele
> Cc: <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Help with Alerts
>
> You can run pulledpork in the configuration to only process already
> downloaded rules, yes.  
>
> But there are other benefits to pulledpork that outweigh the effort, IMHO. 
>
> --
> Joel Esler
>
> On Sep 9, 2012, at 5:43 PM, "Michael Steele" <michaels () winsnort com> wrote:
>
> > Joel,
> >
> > When you say 'will include the SIDS from your local ruleset', you are 
> > referring to the local.rules file, correct?
> >
> > If that's the case; as long as there is no local.rules file, 
> > oinkmasters stand alone sid.msg.map utility should work fine.
> >
> > For my applications PP is a little messy to implament.
> >
> > I'd like to see a basic default run of that adds all the stock 
> > rulesets based on the stock snort.conf. The basic default should be 
> > exactly like manually adding a new rule set.
> >
> > Is it possible to use PP to only process the sid.msg.map? 
> >
> > Kindest regards,
> > Michael...
> >
> >
> > -----Original Message-----
> > From: Joel Esler [mailto:jesler () sourcefire com]
> > Sent: Sunday, September 09, 2012 4:26 PM
> > To: wkitty42 () windstream net
> > Cc: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Help with Alerts
> >
> >
> > On Sep 9, 2012, at 12:00 PM, waldo kitty <wkitty42 () windstream net> wrote:
> >
> > > On 9/9/2012 09:09, James Lay wrote:
> > > > On Sep 8, 2012, at 6:31 PM, waldo kitty<wkitty42 () windstream net>  wrote:
> > > >
> > > > > On 9/8/2012 07:53, Joel Esler wrote:
> > > > > > If you are using pulledpork, it should generate your Sid-MSG.map 
> > > > > > for you. Are you using pulledpork?
> > > > >
> > > > > and if you are not using pulledpork, there is a tool in the 
> > > > > utilities area for this... at least there was in the older versions 
> > > > > of snort... i guess it is still there?
> > > > >
> > > > > create-sidmap.pl /path/to/rules>  /path/to/sidmap/sid-msg.map
> > > >
> > > > Actually I think that's part of oinkmaster :)
> > >
> > > it might be... i dunno... i've seen it as a separate tool in several
> > places... 
> > > gotta dance a little dance if one has more than one rule directory,
> > though...
> >
> > It is part of oinkmaster. 
> >
> > As someone said earlier in the thread, you need to be using pulledpork 
> > to generate the Sid-MSG.map because that will include the SIDS from 
> > you local ruleset.
> > Very important. 
> > ----------------------------------------------------------------------
> > ------
> > --
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and 
> > threat landscape has changed and how IT managers can respond. 
> > Discussions will include endpoint security, mobile security and the 
> > latest in malware threats. 
> > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest 
> > Snort news!
>
> ----------------------------------------------------------------------------
> --
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
> landscape has changed and how IT managers can respond. Discussions will
> include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!