RE: [Snort-users] Bleedingsnort: Classification & Reference URL
This is a discussion on RE: [Snort-users] Bleedingsnort: Classification & Reference URL within the Snort forums, part of the System Security and Security Related category; Joel, Wow! Cool! Why the ^$%&%6 didn't I ever think to do that? The same thing w= orks ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-20-2004
|
|||
|
|||
RE: [Snort-users] Bleedingsnort: Classification & Reference URL
Joel,
Wow! Cool! Why the ^$%&%6 didn't I ever think to do that? The same thing w= orks for the nessus references, with the new line being: "nessus" =3D> array("http://cgi.nessus.org/plugins/dump.php3?id=3D", "")= , However I do note one oddity... There are certain alerts that still don't c= ome up. For example I'm looking at a 'BLEEDING-EDGE IE homepage hijacking' = alert from the day before yesterday, and it still has 'url' with no link in= the ACID interface. Most others are OK, but there seem to be a few excepti= ons. Looking at the rules, they seem to be formatted OK. Any ideas? John -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lis= ts.sourceforge.net] On Behalf Of Esler, Joel - Contractor Sent: Wednesday, October 13, 2004 8:16 AM To: Archibald, B. Jay @ CSW-SLC; snort-users@lists.sourceforge.net Subject: RE: [Snort-users] Bleedingsnort: Classification & Reference URL I am assuming you are referring to ACID in this instance? The url thing is easy.. While Snort added the "url" feature to allow ANY Url to be used as a reference, ACID wasn't updated to follow suit... In your acid_conf.php there is a section entitled "Signature references".. You will see arrays for bugtraq, snort, cve, arachnids... And the like, however, if you come down to your final line, change the ";" to a "," then add the following line: "url" =3D> array("http://", "")); Underneath it will make the "url" part look right... As far as classification goes, you have to compare classification.config with the classification that is in the rule itself, it will classify the rule if your rule has the "classtype:" modifier in it. Joel Esler, GCIA -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Archibald, B. Jay @ CSW-SLC Sent: Tuesday, October 12, 2004 3:44 PM To: 'snort-users@lists.sourceforge.net' Subject: [Snort-users] Bleedingsnort: Classification & Reference URL I have added signatures from bleedingsnort.com. I have noticed that all the alerts are being listed under the "unclassified" classification and the URL reference links are displayed as "URL" without a link. Could someone explain what I need to do to add the bleedingsnort classifications and get the reference links to work. Thanks, Jay Archibald ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjourna...uidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjourna...uidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=BEort-users ---------------------------------------------------------------------------= --------------------- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. =20 If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. ---------------------------------------------------------------------------= --------------------- [mf2] ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjourna...uidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
