Snort mailing list archives
Re: Snort Alert [1:xx] - sid-msg.map looks correct
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 16 Jul 2014 18:09:31 +0000
Barnyard2 just needs to read the new file. After that, things should log correctly. -- Joel Esler Sent from my iPhone
On Jul 16, 2014, at 13:24, "William Rehnquyst" <rehnquyst () gmail com> wrote:
Hi,
I've added some custom rules I grabbed from SANS, and changed them a little bit to look like this:
alert tcp any any <> any any (msg:"American Express card number detected in clear
text";pcre:"/3\d{3}(\s|-)?\d{6}(\s|-)?\d{5}/";content:"amex";nocase;sid:1000156;rev:1;)
Pulledpork update seems to have generated the sid-msg.map correctly, because this alert does show up in the file:
1000156 || American Express card number detected in clear text
However, in my frontend, Snorby, the alerts are showing up "Snort Alert [1:1000156:1], which from my research seem to
indicate that it's because either sid-msg.map isn't update (which it is), or barnyard2 wasn't restarted. I've
rebooted the server, so barnyard2 should have restarted correctly.
Was there something I missed?
Thanks!
Rehn
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Alert [1:xx] - sid-msg.map looks correct William Rehnquyst (Jul 16)
- Re: Snort Alert [1:xx] - sid-msg.map looks correct Joel Esler (jesler) (Jul 16)
- Re: Snort Alert [1:xx] - sid-msg.map looks correct Y M (Jul 16)