RE: [Snort-users] snort rules/signatures

SGUIL incorporates a feature to show the rules that trigger the alerts.
SGUIL can be found at http://sguil.sourceforge.net.  Take a look at the
screen shots or the Flash demo.
 
--Dave

        -----Original Message-----
        From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of John Hally
        Sent: Thursday, May 25, 2006 10:17 AM
        To: snort-users@lists.sourceforge.net
        Subject: [Snort-users] snort rules/signatures
        
        

        Hello All,

        Way back when the original snort.org site used to include the
actual signature of the rule whenever you looked up an SID or clicked on
one from an alert in acid/base.  I found this EXTREMELY useful when
checking the validity of an alert to see if it was simply a pattern
match or something else triggering the alert and react accordingly.  My
question is, has anyone found a way to tie the signatures to alerts by
hacking up Base or some other console?  It would be very cool if
snort.org could add the signature back to the description, but if
there's another way to do it without me having to keep IDS Policy
Manager open and refer back to it, that would be outstanding.

        I'm thinking of possibly importing the ruleset(s) into mysql (a
la snortcenter/snortcenter2) and then try to figure out a way to add a
link to them from any of the consoles out there in use.  I'm currently
using Aanval and have asked for this as an enhancement, but not sure how
long that will take, if ever.  Just looking to see if anyone else is
doing something similar.

        Thanks in advance!

        John H.