Snort mailing list archives
Signature Message, PP, and sid-msg.map
From: Y M <snort () outlook com>
Date: Sun, 2 Dec 2012 12:17:21 +0000
This may have been discussed before but I did not find a definitive answer or an optimal solution. I use PulledPork to
generate VRT rules (snort.rules) and the sid-msg.map, etc. The process completes successfully. I run Snort and alerts
start showing up, however, I do not get signature messages (sig_name in the DB table) for some rules in there. I only
get something like, for examples: "Snort Alert [1:255:19]". This happens to a considerable amount of rules. Since the
rules are firing and they exist in the snort.rules file, this means that they have been processed by PulledPork,
however, they do not have respective entries in the sid-msg.map file. I updated those manually, both in the database
and the sid-msg.map file and now are showing up fine. As snort continues to run, I get new alerts with no signature
message and do the updates again and so on. My question(s) is, does PulledPork generate the sid-msg.map file
dynamically once it is run? If so, why some rules do not get mapped into the file? I have read in a group discussion
(can't remember where!) that this is related to the reorganization of the rules and should go away once everything
stabilizes, please correct if I am wrong. This can take an effort to get rules updated to show up properly every time
the rules are updated and PulledPork is run. Any help would be appreciated. Thanks in advance.YM
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Signature Message, PP, and sid-msg.map Y M (Dec 02)
- Re: Signature Message, PP, and sid-msg.map JJ Cummings (Dec 02)
- Re: Signature Message, PP, and sid-msg.map Jeremy Hoel (Dec 02)
- Re: Signature Message, PP, and sid-msg.map Y M (Dec 02)
- Re: Signature Message, PP, and sid-msg.map JJC (Dec 04)
- Re: Signature Message, PP, and sid-msg.map JJ Cummings (Dec 02)