Re: Generator ID map file location changed ?

[Research <research () nativemethods com>]

Hi,

Ah, I see.  Ok, that makes sense.

Thanks.

On Mar 1, 2015, at 1:54 PM, Y M <snort () outlook com> wrote:

> > From: research () nativemethods com
> > Date: Fri, 27 Feb 2015 15:58:42 -0500
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Generator ID map file location changed ?
> >
> > Hello,
> >
> > On page 12 of the PDF format of the “Snort 2.9.7 Manual) [1], it notes that the mapping for GID’s (Generator ID’s), 
> > can be found in:
> >
> > "For a list of GIDs, please read etc/generators in the Snort source. In this case, we know that this event came 
> > from the “decode” (116) component of Snort.”
> >
> > > From the source tar ball, I can see the etc subdirectory:
> >
> > ~/snort_src/snort-2.9.7.0/etc
> >
> > In there I can see “gen-map.msg”:
> >
> > -rw-r--r-- 1 user user 31K Sep 16 14:24 gen-msg.map
> >
> > Inside this file I can see a mapping to “decode” for GID 116 (as referenced in the first quote from the manual), so 
> > is this the file that the GID mappings are in now, *NOT* generators, or am I still looking in the wrong place ? 
>
>   # In general, the generators.h is the header defining the GID and SID of Snort components. Each component (GID) is 
> capable of generating various outputs (SID). I would use the gen-msg.map to lookup mappings
>
> > If so, am I correct interpreting that a GID of 1 means the generator was “snort general rule” which matches up to a 
> > custom rule I wrote ?
>
> # GID 1 refers to textual rules, including the rules that ship from VRT and your custom textual rules.
>
> > Thanks
> >
> > [1] See: 
> > https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/051/original/snort_manual.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1425073972&Signature=9uEeOQH3nRJTwXr6c7XxK%2F%2FWqAU%3D
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!