-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob,
I believe someone mentioned that I also left this step out of the automated rule update process. Should this step be included there as well so the map is created if rules are updated? Earl On Tue, 22 Jan 2008 06:03:54 +0000 Robert Mcmillen <[EMAIL PROTECTED]> wrote: >Steve, > You have found a bug in the honeywall. Many thanks. Could I >get >you to fill out a ticket at: >https://projects.honeynet.org/honeywall/newticket > ? You will need to register on the site if you are not already >to >add a ticket. This will help us document the issues and ensure it > >actually gets fixed. > > The issue we have is that once you add rules to the system, >snort's sid-msg.map nor the walleye signature database are being >updated. Therefore, after you add new rules to the system, you >need >to do the following: > >1. Create a new sid-msg.map. Oinkmaster comes with a perl script > >named create-sidmap.pl that is really easy to use. Simply point >it at >the snort rules directory and redirect its output to a sid- >msg.map. >For example, I added the rule you sent below to my local.rules. I >had >to change the sid because snort already has a rule with that sid >(I >used 70001). I then ran the perl script: > >cp /etc/snort/sid-msg.map /etc/snort/sid-msg.map.bak >/usr/bin/create-sidmap.pl /etc/snort/rules > /etc/snort/sid- >msg.map > >2. Load the new sid-msg.map to the walleye db. The easiest way >to do >this is to simply restart hflowd (/etc/init.d/hflowd) or restart >the >honeywall. The hflowd startup script loads the sig-msg on start. > > From this point on, you should see your alerts on the walleye UI. > >The Snort Rules Management portion of the walleye interface does >not >do this and we need to fix it. Also, we need to add something to >make >this easier for folks that like to get in there and tweak the >snort >rules manually. > >Thanks again for bringing this to our attention, > >Rob > >On Jan 21, 2008, at 7:02 PM, Steve Ng wrote: > >> Hi Robert, >> >> the snort rules that I made in my local.rules is a simple one to > >> test out only. >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH >attempted"; >> sid:10001; ) >> >> Regards, >> Steve >> >> Express yourself and stay connected with the latest Windows Live > >> Messenger! Windows Live Messenger >> _______________________________________________ >> Honeywall mailing list >> [email protected] >> https://public.honeynet.org/mailman/listinfo/honeywall -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wkYEARECAAYFAkeWReMACgkQk7+e+4lPSm0BfACglUyIcpDxAx4N88diyQWxz98FuusA oLVjLRQozYoQculNvXewf4s2/Pqs =2wJR -----END PGP SIGNATURE----- _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
