[Snort-devel] Preprocessors that generate events

Edward Balas ebalas at ...1183...
Mon Mar 4 14:40:03 EST 2002

Hey all,

Quick question:

Is it possable for preprocessors to generate events that
have the classtype defined?  ie it would be great if the portscan
preprocessor could generate events with the classtype of "attempted-recon"
or something along those lines.

Why I ask:

I have been working with snort in conjunction with a database.  The other
day I noticed that when portscan events are recorded in the database they
dont have an associated sig_class.  From my snooping throught the code it
looks like such data extracted from otn_tmp.  Now my understanding of the
snort internals is pretty shakey but this is a pointer to the current rule
right? so otn_tmp should be null at the time the processor posted the
alert and thus when the spo_database processed the alert there would be
no way for it to determine the appropriate classtype?

If my assesment of the situation above isnt completely flawed...
Does having the preprocessor set otn_tmp to something meaningfull
do the trick, or is that gonna cause a world of hurt?

Any insights would be great,

Ed Balas

