Customized Snort Rules & enVision
My organization creates our own purpose specific Snort rules but enVision doesn't detect those rules as Snort events. Specifically we add rules to the "local.rules" Snort file and assign our own unique Snort event IDs to them.
I'm wondering if anyone else does something similar and how they allow enVision to recognize those events (currently they are showing up as UNKNOWN event types from our IDS)? I was just planning on using the EventSource Integrator and adding them to the existing "snortmsg.xml" file, but my concern is when I receive Signature Updates from RSA, will it then overwrite all of my custom signature detections?
Thanks in advance,