2QFL3LymIB6xwL5Uy73QZVQtt0E2S9rpdhju7K8M9jQ=

Customized Snort Rules & enVision

Discussion created by 2QFL3LymIB6xwL5Uy73QZVQtt0E2S9rpdhju7K8M9jQ= on Jun 1, 2010

My organization creates our own purpose specific Snort rules but enVision doesn't detect those rules as Snort events. Specifically we add rules to the "local.rules" Snort file and assign our own unique Snort event IDs to them.

 

I'm wondering if anyone else does something similar and how they allow enVision to recognize those events (currently they are showing up as UNKNOWN event types from our IDS)? I was just planning on using the EventSource Integrator and adding them to the existing "snortmsg.xml" file, but my concern is when I receive Signature Updates from RSA, will it then overwrite all of my custom signature detections?

 

Thanks in advance,

Jeff

Outcomes