Stand Alone sig.msg.map generator

[MichaelS]

Is there a way we can get a stand alone sig.msg.map generator for use when a user manually installs the stock rules from the snort.org website?

 

TIA...

[JJ Cummings]

Under contrib in the oinkmaster tarball, or use PP to generate it with the -k option

Sent from the iRoad

On Nov 5, 2012, at 20:38, MichaelS <zips...@gmail.com> wrote:

Is there a way we can get a stand alone sig.msg.map generator for use when a user manually installs the stock rules from the snort.org website?

 

TIA...

--
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pulledpork-users/-/1imru6QSs2kJ.
To post to this group, send email to pulledpo...@googlegroups.com.
To unsubscribe from this group, send email to pulledpork-use...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pulledpork-users?hl=en.

[Rodrigo Montoro(Sp0oKeR)]

Inside oinkmaster you will find create sidmap script =)

http://oinkmaster.sourceforge.net/download.shtml

Not sure if PP has a "standalone" createsid script.

Regards,

> --
> You received this message because you are subscribed to the Google Groups
> "pulledpork users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/pulledpork-users/-/1imru6QSs2kJ.
> To post to this group, send email to pulledpo...@googlegroups.com.
> To unsubscribe from this group, send email to
> pulledpork-use...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/pulledpork-users?hl=en.

--
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

[Michael Steele]

Yes, distributing that with my guides, but trying to be a little more up to date. I remember you saying that PP should be used as it performs a more through process then the Oinkmaster stand alone.

If I remember right PP wants to process all the rules every time. It take about 5 seconds for the Oinkmaster stand alone to process the sign.msg.map file. Will PP process that fast, and can PP deal with the stock rules names from the default rules tarball?

What I'm doing is just dumping the default .rule files into /rules and then processing the sign.msg.map file.

[JJC]

unfortunately PP will prepend to the name.. but you can keep the stock names with that caveat.. so the file becomes VRT-name.rules instead of just name.rules.. or ET-name.rules.. this allows for multiple disperate rulesets to be run at once if you want the individual files rather than one large file still.

JJC

[MichaelS]

I guessing; When PP processes the sig.msg.map file it reads all the .rules files in and writes to the sig.msg.map file. PP does not write to anything else?

 

What is it that PP does when it processes the sig.msg.map file that the Oinkmaster stand alone processor doesn't do? 

 

What effect is this going to have on the whole system?

 

TIA...

[JJC]

I am not sure what the standalone one does.. PP will handle multi line rules, does the flowbit resolution (this is HUGE) and will read in other local.rules files as specified and insert the required info into sid-msg.map

JJC

--

You received this message because you are subscribed to the Google Groups "pulledpork users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/pulledpork-users/-/_cfDPVE5QBgJ.