Sagan SID's show up as Emerging Thread SIDS.
Brought to you by:
secureideas,
sinukas
Menu
▾
▴
#240 Sagan SID's show up as Emerging Thread SIDS.
Sagan is a real time log analysis tool that can store and correlate IDS/IPS information with log information. For more information, please see http://sagan.softwink.com. Sagan uses the Snort MySQL and PostgreSQL to store events and for correlation. When Sagan stores events, reference URLs show Sagan alerts as "EmThreat", which is incorrect. Sagan rule set SID's start at 500000. It's likely that BASE simply considers EmThreat rules any thing over 200000 (?). There's a screen shot of this issue at: http://sagan.softwink.com/screenshots.html (about middle of the page). Let me know if you need any more information.
Hi, thanks for letting us know about this. Can you please provide the URL that BASE is generating for the Emerging Threats link in your screenshot?
Sure can and sorry about the delay! Here's a link to some screen shots. The screen shots in question are in the middle of the page.
http://sagan.softwink.com/screenshots.html
Looking at the screen shots, those are pretty old. You notice "[softwink]" as a URL reference. That was when I manually added a url reference into the source code of BASE. I later thought this was a bad idea, and switch to the normal "url" or "link" reference. I can make a better/more current screen shot. My point is not to be confused by the "[softwink]" part of the link. You notice the [local] link and then a [EmThreats] link. The [EmThreats] is the one that shouldn't be there. If you have any questions I'll be more than happy to assist.