[Snort-devel] How to use alertAdd to generate a "variable" alert message?

Russ Combs rcombs at ...402...
Mon May 27 22:44:51 EDT 2013


On Mon, May 27, 2013 at 2:49 PM, Hai Minh Nguyen <lightsea90 at ...2499...> wrote:
> Help me, please!
>
>
> On Sat, May 25, 2013 at 11:16 PM, Hai Minh Nguyen <lightsea90 at ...2499...>
> wrote:
>>
>> Hi,
>>
>> I'm using _dpd.alertAdd to raise an alert in my dynamic preprocessor. But
>> I face a problem:
>>
>> I ran this code:
>>
>> char alert[256];
>> double score = MyFunction();
>> sprintf(alert, "Alert: Score = %lf", score);
>> _dpd.alertAdd(DPX_GID, DPX_DST_SID, 1, 0, 3, alert, 0);
>>
>> I'm using 2 output modules to check it: alert_fast and unified2 (to mysql
>> by barnyard2). I checked the result in alert_fast output file but it didn't
>> show the correct alert message (e.g. Alert: Score = 10.00000) ! In fact, the
>> message contains special characters.
>>
If by "special characters" you mean something other than what you put
in your alert[] buffer, you need to make alert[] static or declare it
outside of your function.  Only the pointer to alert[] is actually
queued.  Note that alertAdd() does not consume your data before
returning.  It is queued for later use.  If you allow other such
alerts to fire at the same time, you will need multiple buffers too.

>> For mysql database, barnyard2 cant save the alert with the message so it
>> save as "Snort: Alert", it noticed that the trouble is of sid-msg.map and
>> gen-msg.map.
>>
>> Could you please tell me how to solve my problem? How can I get the
>> correct message and save the alert with it on Snort database?
>>
>> --
>> Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
>> một lần, nhưng chưa ai qua nổi quá tam chiêu!!!
>
>
>
>
> --
> Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại một
> lần, nhưng chưa ai qua nổi quá tam chiêu!!!
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list