Changes between Version 3 and Version 4 of FAQ

Show
Ignore:
Timestamp:
03/23/08 19:58:55 (11 years ago)
Author:
rmcmillen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • FAQ

    v3 v4  
    99A.  In order to edit the Honeywall Community FAQ, you must [https://projects.honeynet.org/honeywall/account register].   
    1010 
     11=== Q. Why don't I see custom rules in the Walleye UI? === 
    1112 
     13A.  The snort and snort_inline rule management UI is no longer supported.  Therefore, all rule changes must be done via the command line.  The issue we have is that once you add rules to the system, snort's sid-msg.map nor the walleye signature database are being updated. Therefore, after you add new rules to the system, you need to do the following: 
     14 
     151. Create a new sid-msg.map. Oinkmaster comes with a perl script named create-sidmap.pl that is really easy to use. Simply point it at the snort rules directory and redirect its output to a sid-msg.map. For example, I added the rule you sent below to my local.rules. I had to change the sid because snort already has a rule with that sid (I used 70001). I then ran the perl script: 
     16 
     17cp /etc/snort/sid-msg.map /etc/snort/sid-msg.map.bak /usr/bin/create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map 
     18 
     192. Load the new sid-msg.map to the walleye db. The easiest way to do this is to simply restart hflowd (/etc/init.d/hflowd) or restart the honeywall. The hflowd startup script loads the sig-msg on start. 
     20 
     21From this point on, you should see your alerts on the walleye UI.