Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and ET ruleset sid-msg.map don't merge during rule update

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cino
      last edited by

      I'm running the lastest snort 2.9.2.3 pkg v. 2.5.1 on pfsense 2.1 beta. For the life of me, I can't remember if the sid-msg.map file merge before all the recent changes made to snort or not.

      The issue is which ever ruleset is downloaded/copied last wins the sid-msg.map file. Normally snort/pfSense wouldn't care.. But if your using barnyard2, this makes big difference. Bardyard2 uses this file to send add info about the alert that was triggered.. So lets say if a Snort ruleset was the last to be downloaded but a ET rule is trigger. Only the SID is sent out. If it was a snort rule that was triggered: the SID, alert name, alert reference url will all be sent out. It goes back and forth base on where ruleset was updated last.

      If what i wrote doesnt make sense, use the below links to see the difference:

      ET Rules updated last:
      https://dl.dropbox.com/u/11597356/pfSense/ET-sid-msg.map

      Snort Rules updated last:
      https://dl.dropbox.com/u/11597356/pfSense/snort-sid-msg.map

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.