[Snort-devel] GEN_ID in Database Plug-in Output

Dirk Geschke Dirk_Geschke at ...802...
Fri Apr 15 08:00:44 EDT 2005


Hi Ron,

> Is it possible (easy) to get the gen_id added to the signature table
> output of the database plug-in? This would allow a minor tweak to ACID
> (line 168 of acid_signature.inc) and then alerts with gen_ids other than
> 1 could be referenced back to the Snort.org Rule database. Currently,
> only the sig_id is available which is great for rules, but doesn't work
> for alerts generated by other plug-ins like stream4, etc.

this is not difficult to implement in the output plugin. But more
interestingly is where you want to store the gen_id? I think you
need an extra column in the signature table.

Or you can do the hack we've done with FLoP, if sig_generator is not
equal to GENERATOR_SNORT_ENGINE we insert the sig_generator as the
revision number of the rule. These numbers are > 100 and I don't
expect that any rule ever will get such a revision number.

In principle pre-processor alerts should be identifiable by the
sig_sid which should be less than 100. But there are several ones
which are bigger. Therefore we used this hack...

Best regards

Dirk





More information about the Snort-devel mailing list