[Snort-devel] Fwd: [Snort-Users] snort signature code

Steven Sturges ssturges at ...402...
Fri Jun 10 14:26:42 EDT 2011


This code allows Snort to print a meaningful url related to a short
reference value that is specified in a rule.  The meaning of each of
the reference names (cve, bugtraq, etc) are specified in reference.config.

For example, if a rule has "reference:cve,2010-0000;"

When Snort generates an alert where it includes reference information,
that gets expanded to 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0000

Hope this helps.

On 6/10/11 1:00 PM, Joel Esler wrote:
>
>
> Begin forwarded message:
>
>> *From: *nashwa salah <nashwasalah8 at ...2499...
>> <mailto:nashwasalah8 at ...2499...>>
>> *Date: *June 10, 2011 12:03:52 PM EDT
>> *To: *Snort-Users <snortusers at ...3154...
>> <mailto:snortusers at ...3154...>>
>> *Subject: **[Snort-Users] snort signature code*
>> *mime-version: *1.0
>> *user-agent: *G2/1.0
>>
>> i want to know what this code mean or what that main function of it in
>> signature file:
>>
>> ReferenceSystemNode * ReferenceSystemAdd(ReferenceSystemNode **head,
>> char *name, char *url)
>> {
>> ReferenceSystemNode *node;
>>
>> if (name == NULL)
>> {
>> ErrorMessage("NULL reference system name\n");
>> return NULL;
>> }
>>
>> if (head == NULL)
>> return NULL;
>>
>> /* create the new node */
>> node = (ReferenceSystemNode
>> *)SnortAlloc(sizeof(ReferenceSystemNode));
>>
>> node->name = SnortStrdup(name);
>> if (url != NULL)
>> node->url = SnortStrdup(url);
>>
>> /* Add to the front of the list */
>> node->next = *head;
>> *head = node;
>>
>> return node;
>> }
>>
>> ReferenceSystemNode * ReferenceSystemLookup(ReferenceSystemNode *head,
>> char *name)
>> {
>> if (name == NULL)
>> return NULL;
>>
>> while (head != NULL)
>> {
>> if (strcasecmp(name, head->name) == 0)
>> break;
>>
>> head = head->next;
>> }
>>
>> return head;
>> }
>>
>> --
>> To post to this group, send email to snortusers at ...3154...
>> <mailto:snortusers at ...3154...>
>>
>> For more information, please visit http://www.snort.org
>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list