Re: sid-msg.map incomplete again

[waldo kitty <wkitty42 () windstream net>]

On 1/25/2011 14:30, Lawrence R. Hughes, Sr. wrote:
> Nigel,
>
> That's great if you use pulledpork, we do not.
> PulledPork was not a requirement for snort to work correctly.

there is also a create-sidmap.pl file that can be used to update your 
sid-msg.map file... we have our update script run it every time the rules are 
updated... this is several times a day because we also use the ET rules sets as 
well as updating our local.rules...

i forget if create-sidmap.pl comes in the contributions directory or not...

> Thanks,
> Larry
>
> ----- Original Message -----
> From: "Nigel Houghton"<nhoughton () sourcefire com>
> To: "Lawrence R. Hughes, Sr."<lhughes () safemedia com>
> Cc:<snort-users () lists sourceforge net>
> Sent: Tuesday, January 25, 2011 12:07 PM
> Subject: Re: [Snort-users] sid-msg.map incomplete again
>
>
> > On Tue, 25 Jan 2011 11:32:08 -0500, Lawrence R. Hughes, Sr. wrote:
> > > Hi,
> > >
> > > How come VRT continues to release new rules, but does not update the
> > > sid-msg.map file?
> > > Just downloaded the latest VRT rules with 4 new rules and the
> > > following sids were missing from the sid-msg.map file for these rules:
> > >
> > >
> > > 18206 || NETBIOS Windows Address Book wab32res.dll malicious DLL load
> > > 18209 || NETBIOS Windows 7 Home peerdist.dll dll-load exploit attempt
> > > 18211 || NETBIOS Microsoft Movie Maker hhctrl.ocx dll-load exploit
> > > attempt
> > > 18278 || NETBIOS Vista Backup Tool fveapi.dll dll-load exploit attempt
> > > We added the above by hand...
> >
> > Pulledpork[0] will take care of your sid-msg.map. That way you can
> > include all the rules you use, not just the VRT ones and you also get
> > to include the local rules you have written for your environment too.
> >
> > [0] - http://code.google.com/p/pulledpork/
> >
> > --
> > Nigel Houghton
> > Head Mentalist
> > SF VRT Department of Intelligence Excellence
> > http://vrt-blog.snort.org/&&;  http://labs.snort.org/
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users