Share this post:
Responses (4)
-
Accepted Answer
nuke wrote:
Nick, I guess the value of those descriptions in the emerging-sid-msg.map are questionable if you are just blocking and don't want or care to know what was blocked and why. I don't think the logs have any description if this file isn't provided. I find it helpful/interesting to know who (IP) and why they were blocked.
I have not even found out where the file should go. I've tried different locations having renamed it to sid-msg.map and I have not noticed any difference. What does it affect? The logs? -
Accepted Answer
Nick, I guess the value of those descriptions in the emerging-sid-msg.map are questionable if you are just blocking and don't want or care to know what was blocked and why. I don't think the logs have any description if this file isn't provided. I find it helpful/interesting to know who (IP) and why they were blocked. -
Accepted Answer
Simple forum search. I've done something similar but I don't bother archiving anything. Also I'm not sure of the point of emerging-sid-msg.map. I also redirect the output of the service command to /dev/null so I don't get an e-mail every time cron restarts snort.
You'll have to work out from the other thread how to enable these rules.cd /etc/snort.d/rules/emerging_threats/temp
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-attack_response.rules
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-botcc.rules
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-compromised.rules
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-current_events.rules
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-exploit.rules
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-malware.rules
# wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-smtp.rules
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-trojan.rules
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-worm.rules
wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_server.rules
wget -q http://rules.emergingthreats.net/blockrules/emerging-compromised-BLOCK.rules
wget -q http://rules.emergingthreats.net/blockrules/emerging-drop-BLOCK.rules
wget -q http://rules.emergingthreats.net/blockrules/emerging-dshield-BLOCK.rules
wget -q http://rules.emergingthreats.net/blockrules/emerging-rbn-BLOCK.rules
wget -q http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules
wget -q http://rules.emergingthreats.net/blockrules/emerging-tor-BLOCK.rules
# wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/sid-msg.map
# mv -f sid-msg.map /etc/snort.d
mv -f * ..
service snort restart > /dev/null
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »