Parsing Custom Snort Signatures

Unanswered Question
Nov 4th, 2009
User Badges:

I have several snort sensors reporting to MARS. As we update signatures and create custom signatures we get the "unknown device event type". Rather than update the Cisco parser (which will be upgraded each new version of MARS), can I create a custom parser and assign this parser and the default snort parser (provided by Cisco) to the same reporting device? I have tried this, but the new parser seems to be ignored as events still show up as "unknown" even after testing the pattern.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion