[Snort-devel] How to use alertAdd to generate a "variable" alert message?

Hai Minh Nguyen lightsea90 at ...2499...
Fri May 31 02:40:58 EDT 2013


Thanks, Russ! :) Solved!


On Tue, May 28, 2013 at 9:44 AM, Russ Combs <rcombs at ...402...> wrote:

> On Mon, May 27, 2013 at 2:49 PM, Hai Minh Nguyen <lightsea90 at ...2499...>
> wrote:
> > Help me, please!
> >
> >
> > On Sat, May 25, 2013 at 11:16 PM, Hai Minh Nguyen <lightsea90 at ...3054....>
> > wrote:
> >>
> >> Hi,
> >>
> >> I'm using _dpd.alertAdd to raise an alert in my dynamic preprocessor.
> But
> >> I face a problem:
> >>
> >> I ran this code:
> >>
> >> char alert[256];
> >> double score = MyFunction();
> >> sprintf(alert, "Alert: Score = %lf", score);
> >> _dpd.alertAdd(DPX_GID, DPX_DST_SID, 1, 0, 3, alert, 0);
> >>
> >> I'm using 2 output modules to check it: alert_fast and unified2 (to
> mysql
> >> by barnyard2). I checked the result in alert_fast output file but it
> didn't
> >> show the correct alert message (e.g. Alert: Score = 10.00000) ! In
> fact, the
> >> message contains special characters.
> >>
> If by "special characters" you mean something other than what you put
> in your alert[] buffer, you need to make alert[] static or declare it
> outside of your function.  Only the pointer to alert[] is actually
> queued.  Note that alertAdd() does not consume your data before
> returning.  It is queued for later use.  If you allow other such
> alerts to fire at the same time, you will need multiple buffers too.
>
> >> For mysql database, barnyard2 cant save the alert with the message so it
> >> save as "Snort: Alert", it noticed that the trouble is of sid-msg.map
> and
> >> gen-msg.map.
> >>
> >> Could you please tell me how to solve my problem? How can I get the
> >> correct message and save the alert with it on Snort database?
> >>
> >> --
> >> Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> >> một lần, nhưng chưa ai qua nổi quá tam chiêu!!!
> >
> >
> >
> >
> > --
> > Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> một
> > lần, nhưng chưa ai qua nổi quá tam chiêu!!!
> >
> >
> ------------------------------------------------------------------------------
> > Try New Relic Now & We'll Send You this Cool Shirt
> > New Relic is the only SaaS-based application performance monitoring
> service
> > that delivers powerful full stack analytics. Optimize and monitor your
> > browser, app, & servers with just a few lines of code. Try New Relic
> > and get this awesome Nerd Life shirt!
> http://p.sf.net/sfu/newrelic_d2d_may
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại một
lần, nhưng chưa ai qua nổi quá tam chiêu!!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130531/1cc599eb/attachment.html>


More information about the Snort-devel mailing list