Re: Help with Alerts

[Joel Esler <jesler () sourcefire com>]

You can run pulledpork in the configuration to only process already downloaded rules, yes.  

But there are other benefits to pulledpork that outweigh the effort, IMHO. 

--
Joel Esler

On Sep 9, 2012, at 5:43 PM, "Michael Steele" <michaels () winsnort com> wrote:

> Joel,
>
> When you say 'will include the SIDS from your local ruleset', you are
> referring to the local.rules file, correct?
>
> If that's the case; as long as there is no local.rules file, oinkmasters
> stand alone sid.msg.map utility should work fine.
>
> For my applications PP is a little messy to implament.
>
> I'd like to see a basic default run of that adds all the stock rulesets
> based on the stock snort.conf. The basic default should be exactly like
> manually adding a new rule set.  
>
> Is it possible to use PP to only process the sid.msg.map? 
>
> Kindest regards,
> Michael...
>
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com] 
> Sent: Sunday, September 09, 2012 4:26 PM
> To: wkitty42 () windstream net
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Help with Alerts
>
>
> On Sep 9, 2012, at 12:00 PM, waldo kitty <wkitty42 () windstream net> wrote:
>
> > On 9/9/2012 09:09, James Lay wrote:
> > > On Sep 8, 2012, at 6:31 PM, waldo kitty<wkitty42 () windstream net>  wrote:
> > >
> > > > On 9/8/2012 07:53, Joel Esler wrote:
> > > > > If you are using pulledpork, it should generate your Sid-MSG.map 
> > > > > for you. Are you using pulledpork?
> > > >
> > > > and if you are not using pulledpork, there is a tool in the 
> > > > utilities area for this... at least there was in the older versions 
> > > > of snort... i guess it is still there?
> > > >
> > > > create-sidmap.pl /path/to/rules>  /path/to/sidmap/sid-msg.map
> > >
> > > Actually I think that's part of oinkmaster :)
> >
> > it might be... i dunno... i've seen it as a separate tool in several
> places... 
> > gotta dance a little dance if one has more than one rule directory,
> though...
>
> It is part of oinkmaster. 
>
> As someone said earlier in the thread, you need to be using pulledpork to
> generate the Sid-MSG.map because that will include the SIDS from you local
> ruleset. 
> Very important. 
> ----------------------------------------------------------------------------
> --
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
> landscape has changed and how IT managers can respond. Discussions will
> include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!