nuke wrote:

Nick, I guess the value of those descriptions in the emerging-sid-msg.map are questionable if you are just blocking and don't want or care to know what was blocked and why. I don't think the logs have any description if this file isn't provided. I find it helpful/interesting to know who (IP) and why they were blocked.

I have not even found out where the file should go. I've tried different locations having renamed it to sid-msg.map and I have not noticed any difference. What does it affect? The logs?

Nick, I guess the value of those descriptions in the emerging-sid-msg.map are questionable if you are just blocking and don't want or care to know what was blocked and why. I don't think the logs have any description if this file isn't provided. I find it helpful/interesting to know who (IP) and why they were blocked.

Thanks Nick

Simple forum search. I've done something similar but I don't bother archiving anything. Also I'm not sure of the point of emerging-sid-msg.map. I also redirect the output of the service command to /dev/null so I don't get an e-mail every time cron restarts snort.

cd /etc/snort.d/rules/emerging_threats/temp

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-attack_response.rules

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-botcc.rules

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-compromised.rules

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-current_events.rules

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-exploit.rules

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-malware.rules

# wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-smtp.rules

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-trojan.rules

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-worm.rules

wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_server.rules

wget -q http://rules.emergingthreats.net/blockrules/emerging-compromised-BLOCK.rules

wget -q http://rules.emergingthreats.net/blockrules/emerging-drop-BLOCK.rules

wget -q http://rules.emergingthreats.net/blockrules/emerging-dshield-BLOCK.rules

wget -q http://rules.emergingthreats.net/blockrules/emerging-rbn-BLOCK.rules

wget -q http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules

wget -q http://rules.emergingthreats.net/blockrules/emerging-tor-BLOCK.rules

# wget -q http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/sid-msg.map



# mv -f sid-msg.map /etc/snort.d

mv -f * ..



service snort restart > /dev/null

You'll have to work out from the other thread how to enable these rules.