Snort mailing list archives
Re: Snort Alert [1:P201XXX:1]
From: "Matheus Condi'ez" <conma293 () gmail com>
Date: Wed, 28 May 2014 15:03:53 +1200
hmmmm I thought pulledpork generated an absolute sid-msg.map just as it does snort.rules as opposed to merely rolling updates...? I will have a look at the gen-msg.map , that may be where the fault lies as I have not dragged that across On Wed, May 28, 2014 at 5:45 AM, waldo kitty <wkitty42 () windstream net>wrote:
On 5/26/2014 11:47 PM, Matheus Condi'ez wrote:Hey guys, I have snort instance grabbing rules and sid-msg.map from pulled pork -both VRT&& ET rules. I have a whole lot of ET ..... & just generic messages forrules.but about 80% of firing events have no 'event name' just Snort Alert [1:201209:1] or similar... has anyone encountered this issue? Im thinking its the sid-msg.map butwhy forsome and not for others?you need to ensure that your sid-msg.map is up to date after each pull... there are tools available to do this for you... part of your problem is likely that a sid-msg.map is included in one or more rules sets but it only has entries for the rules in that set... if you are simply copying it over to the proper location then you are overwriting and loosing the others... as i understand it, pulledpork can/will generate the sid-msg.map for you... there's also a tool that came with oinkmaster that can do this but it generates the older format of sid-msg.map... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ The best possible search technologies are now affordable for all companies. Download your FREE open source Enterprise Search Engine today! Our experts will assist you in its installation for $59/mo, no commitment. Test it for FREE on our Cloud platform anytime! http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Alert [1:P201XXX:1] Matheus Condi'ez (May 26)
- Re: Snort Alert [1:P201XXX:1] waldo kitty (May 27)
- Re: Snort Alert [1:P201XXX:1] Matheus Condi'ez (May 27)
- Re: Snort Alert [1:P201XXX:1] waldo kitty (May 27)