Snort mailing list archives
Unified output and multiple .map's.
From: Chris Keladis <chris () cmc optus net au>
Date: Sat, 05 Mar 2005 12:31:56 +1100
Hi all,I was wondering how people using the unified output, the official Snort rules and the bleeding rules are handling their .map files?
It seems it's a bit of a catch-22.If you have multiple .map's, say, in their respective rule subdir, the spool pre-processor (Mudpit in this case) does not seem to like multiple .map files. In fact it defines them in the global {} section of the config.
Looking at Barnyard, it takes .map's on the command line and it seems to accept one set (gen, sid) per instance.
Concatenating the .map's into one big one works okay, but causes Oinkmaster confusion, when parsing the official rules it sees and removes the bleeding sid-msg.map entry's, and vice-versa.
It requires the extra step of re-creating the sid-msg.map file after both sets of rules have been applied via Oinkmaster.
The obvious solution to this is to have the unified pre-processors accept multiple .map files from different rule-sets.
Or is there another way to organize the rules whilst keeping Snort, the unified log pre-processor, and Oinkmaster happy?
Thanks, Chris. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unified output and multiple .map's. Chris Keladis (Mar 04)
- Re: Unified output and multiple .map's. Andreas Östling (Mar 06)
- <Possible follow-ups>
- RE: Unified output and multiple .map's. Michael Scheidell (Mar 06)