[Snort-devel] Snort Preprocessors

Sheppard Martin Contr AFRL/IFGA Martin.Sheppard at ...2281...
Wed May 11 08:49:16 EDT 2005

Hello all,

The Snort site provides information regarding various alerts that are
generated by the rules contained in the rules files.  My question is:  Is
there a good source of information regarding the alerts that the
preprocessors/modules generate and why each alert is generated?  I recently
had an alert generated from the http_inspect module and had to "go to the
code"  to figure out the exact reason the alert was generated.  This took a
bit more time than it could have if I had documentation about the alert or
(If such a data source exists)  the knowledge of where to find the list.
Optimally, a reference list for the modules is desirable.  Also, While I am
sending this message, I preload the references from the rules files into a
database to allow an analyst to browse to reference web sites related to
various alerts.  At the present time I use the signature id and fill in the
database with a Snort reference.  However, sometimes the Snort site does not
contain reference information.  From my point of view it would be desirable
to have a snort reference in the rules file for signatures that have
references at snort.org.  Anyone have the same desire?  And oh, by the way,
are port lists in the near future?  Sorry for the long email)  

Thanks in advance for any pointers)


More information about the Snort-devel mailing list