Home page logo
/

snort logo Snort mailing list archives

Re: Updating sid-msg.map
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Tue, 16 Nov 2010 09:03:29 -0500

On Mon, 15 Nov 2010 17:35:02 -1000, Chan, Wilson wrote:
First off what is the sid-msg.map used for? I looked in my oinkmaster 
config docs and they recommend to update the sourcefire and emerging 
threats rule via the create-sidmap.pl script.
Since I have oinkmaster dumping ET and sourcefire rules to 
/etc/snort/rules do I just run the perl script like this?
 
===============================================
Create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map 
===============================================
 
I’ve also googled and found this as another alternative.
 

=========================================================================================================================
Cron script to refresh sid-msg.map otherwise you will get 
unidentified alerts:
 
#!/bin/sh
/usr/local/bin/oinkmaster -o 
/usr/local/etc/snort/rules/emerging-threads -C 
/usr/local/etc/oinkmaster.emerging.conf
/bin/rm /usr/local/etc/snort/sid-msg.map
/bin/cat /usr/local/etc/snort/sid-msg.map-sample 
/usr/local/etc/snort/rules/emerging-threads/emerging-sid-msg.map > 
/usr/local/etc/snort/sid-msg.map
/usr/local/etc/rc.d/snort restart

==========================================================================================================================
 
Wilson

I do not suggest you use that cron script.

I do suggest using PulledPork and have that handle everything.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]