[Snort-devel] database and generator, sig_sid and sig_id

Dirk Geschke Dirk_Geschke at ...802...
Fri Sep 13 13:51:08 EDT 2002


Hi all,

with the actual database plugin we don't log the event->sig_generator.
This should be helpful to find the right preprocessor generating
the alert (if the alert is generated by a preprocessor). 

This information is now lost and you can only identify the generator
by the alert message.

But with the actual scheme of the database there is no key in any
table where it would fit in. (It should be part of the signature
table?)

One other issue with the signature table is that there is only
taken care of that the alert messages, sig_rev and sig_sid are
unique. So if you only change the classification or (mostly
related to this) the priority then the rule will neither get updated
nor a new rule with the new values will be inserted. This sig_id
will still point to the old rule entry. Maybe the database
plugin should be updated according these two rule options?

Best regards

Dirk 


-- 
+------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |
+------------------------------------------------------------+






More information about the Snort-devel mailing list