[Snort-devel] generators[.h]

Phil Wood cpw at ...86...
Fri Oct 18 16:08:03 EDT 2002


Folks,

I'm taking a closer look at the alert/log generation.  Actually, I just
wanted to understand the short message format:

MM/DD-HH:MM:SS.UUUUUU  [**] [GEN:SID:REV] msg [**] {PROTO} SADDR:SPORT -> DADDR:DPORT

I was alright until I broke down the [n:n:n] field, and then looked at my
alerts, and then back at the preprocessor alerts, and then ...

But, now I'm ok.  I would personally leave out the "(preprocessor)" stuff
and just let people in on the meaning of the GEN field of the [n:n:n] structure.
Or, on the otherhand, add in to each msg generated by the snort_engine 
"(snort_engine)".

Any post processor worth it's salt could index the GEN value into a list of
generators.  Of course you could argue the same for the SID.  

I guess I'll shut up now.

Thanks,

Phil




More information about the Snort-devel mailing list