Snort mailing list archives
Re: SDP gen-msg.map and doc's mismatch???
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Mon, 3 May 2010 11:42:45 -0400
Thx! I've sent the Barnyard2 folks an email letting them know that BY2 will need to reference sid-msg.map for gid:138 alerts in order to properly populate the rule message. I think it currently only does this for gid:1 since, I believe, this is the first time a rule is required to use a GID other than 1. Wally On Mon, May 3, 2010 at 11:24 AM, Ryan Jordan <ryan.jordan () sourcefire com> wrote:
Rule 139:1 is a preprocessor alert that gets used by the Sensitive Data preprocessor. GID 138 is for "sd_pattern" rules. Use 138 for your rules. These were split up to avoid a situation where we say "use GID 138 for rules, but never use 138:1". On Mon, May 3, 2010 at 11:08 AM, Joel Esler <jesler () sourcefire com> wrote:Which one is right? 138 or 139? It says 139 in the gid-msg.map On Mon, May 3, 2010 at 10:14 AM, Ryan Jordan <ryan.jordan () sourcefire com> wrote:That's correct, we use a separate GID for the preprocessor alert. On Mon, May 3, 2010 at 8:49 AM, Jason Wallace <jason.r.wallace () gmail com> wrote:I've been playing around with the SDP and found something I need clarification on. The 2.6.0 gen-msg.map shows... 139 || 1 || sensitive_data: sensitive data global threshold exceeded But the docs say, "Rules using sd_pattern must use GID 138." (Snort, pg. 90) Is there a typo here, or is this correct? This came up while trying to diagnose why the message from alerts from rules using sd_pattern were not displaying in BASE properly. Thx, Wally ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SDP gen-msg.map and doc's mismatch??? Jason Wallace (May 03)
- Re: SDP gen-msg.map and doc's mismatch??? Ryan Jordan (May 03)
- Message not available
- Re: SDP gen-msg.map and doc's mismatch??? Ryan Jordan (May 03)
- Re: SDP gen-msg.map and doc's mismatch??? Jason Wallace (May 03)
- Message not available
- Re: SDP gen-msg.map and doc's mismatch??? Ryan Jordan (May 03)