[Snort-devel] Help with generating alerts through a preprocessor

Steven Sturges steve.sturges at ...402...
Mon Jun 16 11:00:02 EDT 2008


Hi Salvo--

When you configured/compiled snort, did you have preprocessor/decoder
turned on?  If so, you'll need to define a preprocessor rule to have
the event show up -- see preproc_rules/preprocessor.rules for examples.

Or run configure --disable-preprocessor-decoder-rules prior to compiling
Snort.

Cheers.
-steve

Salvo Danilo Giuffrida wrote:
> Hello, I wrote a preprocessor, which under certain conditions should
> generate some alarms. To do this, I defined the following macro that I
> call for convenience in the point where the alert(s) should be
> generated.
> 
> #define ALERT(y) { SnortEventqAdd(GENERATOR_SPP_ID, SIGNATURE_ID, 1,
> 0, 3, y, NULL ); }
> 
> Where the constants 'GENERATOR_SPP_ID' and 'SIGNATURE_ID' have been
> defined in generators.h, and are respectively 1000002 and 1.
> My problem is that, even if the function SnortEventqAdd is called (I
> saw it by debugging the preprocessor), no alert is written into the
> /var/log/alert file, while other 'standard' alerts (created by the
> detection engine) are added (I check this with 'tail -f
> /var/log/alert'). If, instead of calling SnortEventqAdd, I simply call
> a 'LogMessage(y)' in the macro, the string contained in y is printed,
> but that's not what I'd like to have, I'd like to have it integrated
> with the alarming system.
> What could be the problem?
> Thanks a lot
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list