Snort mailing list archives
Re: sid-msg maps and dynamic rules
From: firnsy <firnsy () securixlive com>
Date: Thu, 30 Jul 2009 21:18:24 +0930
G'day Russel, Russell Fulton wrote:
hmmm... NOw having the dynamic rules running I find that barnyard is not matching the sid and the message. Reason is fairly obvious -- the dynamic rules have a gen code of 3 not 1.
The aforementioned issue with dynamic rules having a generator_id of 3 and not 1, which leads to messages not being matched correctly, does not exist in barnyard2.
Presumably then sid-msg.map has an implicit gen of 1.
You presume correctly.
Is it expected that these be added to the gen-msg.map? If so it is a bit painful -- the sidmsg.map can be created from scratch from the rule files but the gen-msg.map has a whole lot of static stuff and one therefore needs to append to the original. Is there a way of having this in a separate file? Russell
Regards, -- firnsy www.securixlive.com ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sid-msg maps and dynamic rules Russell Fulton (Jul 28)
- Re: sid-msg maps and dynamic rules firnsy (Jul 30)
- Re: sid-msg maps and dynamic rules Seth Art (Jul 31)