Re: Updating sid-msg.map

[Tamara Fisher <tammi888 () gmail com>]

Thanks YM.

This still baffles me. PulledPork seems to be doing what it should be
doing. It runs nightly and I see my custom rules as entries in the
sid-msg.map file. My alerts go to Splunk but Splunk just pulls directly
from /var/log/barnyard2/alert file. I do not have a database. The
disconnect appears to be Barnyard2. Barnyard2 and snort are restarted
together nightly with my pulledpork script. I use the following command to
start Barnyard2 which references the sid-msg.map.

$ /usr/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort
-f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map \
    -S /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/null &

but the alerts that are written to /var/log/barnyard2/alert are still the
generic ones.



On Wed, Apr 17, 2013 at 6:35 AM, Y M <snort () outlook com> wrote:

>  Sorry, I forgot to mention that you may need to add a policy type to
> your custom rules so that if you run pulledpork with specific policy
> (balanced, security, etc) it will pick up your custom rules as well.
>  ------------------------------
> From: Tamara Fisher <tammi888 () gmail com>
> Sent: 4/16/2013 10:29 PM
> To: Y M <snort () outlook com>
>
> Subject: Re: [Snort-users] Updating sid-msg.map
>
>  ok, awesome. thanks for your help
>
>
> On Tue, Apr 16, 2013 at 3:19 PM, Y M <snort () outlook com> wrote:
>
>
>  Are they showing generic in the GUI you use? If so, then you have to
> update the database as well from the generic "Snort Alert" message to the
> actual message in your rule.
>  ------------------------------
> Date: Tue, 16 Apr 2013 15:13:27 -0400
> Subject: Re: [Snort-users] Updating sid-msg.map
> From: tammi888 () gmail com
> To: snort () outlook com
>
>
> Thanks YM. So I went to manually add my new local rules to the sid-msg.map
> and they are already there (I have pulledpork setup as you do already) but
> alerts that are triggered for those rules are still generic. Any ideas?
>
>
> On Tue, Apr 16, 2013 at 2:45 PM, Y M <snort () outlook com> wrote:
>
>  The reason they show up as a generic "Snort Alert" is because barnyard
> did not find an entry for the rule in the sid-msg.map.
>
> The way I do it to fix existing rules, I add the entry for the rule
> manually to the sid-msg.map (following the same format), and for the
> database entries, run the following sql command against Snort database
> to select the generic "Snort Alert":
>
> SELECT sig_name FROM signature WHERE sig_sid=<generic_rule_sid>
>
> This will return the rule, then you can either edit it manually or issue
> and update command.
>
> I follow the same procedure when I create new rules, but since they I
> added them to the sid-msg.map first, barnyard picks up the entry from there
> and inserts the correct value into the database.  Also my pulledpork has
> the path to my local rules file setup to it picks my rules the next time I
> run pulledpork and adds them to the update sid-msg.map
>
>  ------------------------------
> Date: Tue, 16 Apr 2013 14:13:16 -0400
> From: tammi888 () gmail com
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Updating sid-msg.map
>
>
> Hi. I'm having issues when I am creating new local rules where rules show
> up with generic name 'Snort Alert' instead of what is in the msg field.
> Google tells me that barnyard2 is able to translate the msg field from
> sid-msg.map but I also read that running pulled pork should update that
> file.
>
> My rules are still the same though after running pulledpork. Do I need to
> update this manually? How do I fix it?
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use our
> toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________ Snort-users mailing list
> Snort-users () lists sourceforge net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit
> http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!