[Snort-devel] How to generate an alert?

Daniel Roelker droelker at ...402...
Fri Nov 12 08:32:04 EST 2004


Hi Raymond,

Some events we want to be queued up and selected, while other events we 
want to log no matter what.

Portscan events are one of the events that we always want to log because 
these events are are normally generated from multiple packet tracking, 
rather than a single packet.

So if the preprocessor you are working on generates alerts based on a 
single packet then you want to use SnortEventqAdd, otherwise use 
SetEvent() and CallAlertFuncs().

Dan

Raymond Pun wrote:
> Hi,
> 
> I am making a preprocessor, and therefore I am looking at the exisitng 
> ones.
> 
> I found that in spp_bo.c, it use
> SnortEventqAdd()
> to add an event while in spp_portscan.c, it use
> SetEvent() and CallAlertFuncs
> 
> What is the different of the two?
> 
> Many thanks.
> 
> regards,
> raymond
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list