'Re: [Snort-users] sid-msg.map v2 barnyard2-2.1.3'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] sid-msg.map v2 barnyard2-2.1.3
From:       beenph <beenph () gmail ! com>
Date:       2013-08-23 19:53:57
Message-ID: CAFU9AX97hL8DqD+12V1ry-aYAak7-BbXoP_OhVVOsi6k4NgNdg () mail ! gmail ! com
[Download RAW message or body]

On Fri, Aug 23, 2013 at 3:38 PM, Robert Greenhouse
<rgreenhouse413@gmail.com> wrote:
> Can someone provide a version2  sid-msg.map (v2) file so we actually see the
> changes verses version 1 of the sid-msg.map (v1) please?
>
> Or can someone provide an accurate specification document for sid-msg.map v2
> please.
>
> Thanks,

Hi Richard,
 If you use pulledpork to generate sid-msg.map file then you have the
option to generate either
v1 or v2 format by using the configuration variable (in pulledpork)
sid_msg_version.

<SNIP>
# New for by2 and more advanced msg mapping. Valid options are 1 or 2
# specify version 2 if you are running barnyard2.2+. Otherwise use 1
sid_msg_version=1
</SNIP>

For that I think that you need to get the trunk version of pulledpork
which you can get here:

http://code.google.com/p/pulledpork/source/browse/#svn%2Ftrunk



As for the message format here is the info from the by2 2-1.13 release note:


 <SNIP>
A new sig-msg.map format can be generated by pulledpok (upcomming
release, already in svn).

Detection of sid-msg.map version is done by a simple header in the
file that shouldn't be altered if you want it to be processed
correctly.

The sig-msg.map version 2 format extends the information already
present in the sid-msg.map file created from rules.

This new format version allow signature pre-population if users are
using output database method with barnyard2 2-1.13 and above.


sid-msg.map v1 format:

SID || MSG || REF 1 || REF N


sid := integer
msg := string
ref := string



sid-msg.map v2 format:

GID || SID || REV || CLASSIFICATION || PRIORITY || MSG || REF 1 || REF N

gid := integer
sid := integer
rev := integer
classification := string (if NULL set to NOCLASS)
priority := integer (if prio == 0, classification priority is used)
msg := string
ref := string


=====================
generator (GID, gen-msg.map) are defaulted to the following value
if their information is not overruled in sid-msg.map v2 file via
processing of preprocessor.rules:

revision 1
classification 0
priority 3

If generator message is present in the sid-msg.map v2 file, and
gen-msg.map message are longer
(more comprehensive by string length),
gen-msg.map messages are used instead of sid-msg.map v2 file generator messages.
=====================
</SNIP>

Hope this helps,

-elz







>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic