[Snort-devel] Preprocessors that generate events

Joe McAlerney joeMCA at ...512...
Mon Mar 4 15:20:06 EST 2002


Hi Edward,

Sure, you may want to build a "dummy packet" in the portscan plugin to 
allow you to add the classification code, and anything else the database 
plugin may be able to use, and pass that into Call[Alert,Log]Funcs().

-Joe M.

--
Joe McAlerney
Software Developer / Security Consultant
joey at ...60...
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

On Monday, March 4, 2002, at 07:40 PM, Edward Balas wrote:

> Hey all,
>
> Quick question:
>
> Is it possable for preprocessors to generate events that
> have the classtype defined?  ie it would be great if the portscan
> preprocessor could generate events with the classtype of 
> "attempted-recon"
> or something along those lines.
>
> Why I ask:
>
> I have been working with snort in conjunction with a database.  The 
> other
> day I noticed that when portscan events are recorded in the database 
> they
> dont have an associated sig_class.  From my snooping throught the code 
> it
> looks like such data extracted from otn_tmp.  Now my understanding of 
> the
> snort internals is pretty shakey but this is a pointer to the current 
> rule
> right? so otn_tmp should be null at the time the processor posted the
> alert and thus when the spo_database processed the alert there would be
> no way for it to determine the appropriate classtype?
>
> If my assesment of the situation above isnt completely flawed...
> Does having the preprocessor set otn_tmp to something meaningfull
> do the trick, or is that gonna cause a world of hurt?
>
>
> Any insights would be great,
>
> Ed Balas
>
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>





More information about the Snort-devel mailing list