[Snort-devel] Help with generating alerts through a preprocessor

Salvo Danilo Giuffrida salvodanilogiuffrida at ...2499...
Mon Jun 16 10:43:23 EDT 2008


Hello, I wrote a preprocessor, which under certain conditions should
generate some alarms. To do this, I defined the following macro that I
call for convenience in the point where the alert(s) should be
generated.

#define ALERT(y) { SnortEventqAdd(GENERATOR_SPP_ID, SIGNATURE_ID, 1,
0, 3, y, NULL ); }

Where the constants 'GENERATOR_SPP_ID' and 'SIGNATURE_ID' have been
defined in generators.h, and are respectively 1000002 and 1.
My problem is that, even if the function SnortEventqAdd is called (I
saw it by debugging the preprocessor), no alert is written into the
/var/log/alert file, while other 'standard' alerts (created by the
detection engine) are added (I check this with 'tail -f
/var/log/alert'). If, instead of calling SnortEventqAdd, I simply call
a 'LogMessage(y)' in the macro, the string contained in y is printed,
but that's not what I'd like to have, I'd like to have it integrated
with the alarming system.
What could be the problem?
Thanks a lot




More information about the Snort-devel mailing list