[Snort-devel] How to use alertAdd to generate a "variable" alert message?
Hai Minh Nguyen
lightsea90 at ...2499...
Fri May 31 02:40:58 EDT 2013
Thanks, Russ! :) Solved!
On Tue, May 28, 2013 at 9:44 AM, Russ Combs <rcombs at ...402...> wrote:
> On Mon, May 27, 2013 at 2:49 PM, Hai Minh Nguyen <lightsea90 at ...2499...>
> > Help me, please!
> > On Sat, May 25, 2013 at 11:16 PM, Hai Minh Nguyen <lightsea90 at ...3054....>
> > wrote:
> >> Hi,
> >> I'm using _dpd.alertAdd to raise an alert in my dynamic preprocessor.
> >> I face a problem:
> >> I ran this code:
> >> char alert;
> >> double score = MyFunction();
> >> sprintf(alert, "Alert: Score = %lf", score);
> >> _dpd.alertAdd(DPX_GID, DPX_DST_SID, 1, 0, 3, alert, 0);
> >> I'm using 2 output modules to check it: alert_fast and unified2 (to
> >> by barnyard2). I checked the result in alert_fast output file but it
> >> show the correct alert message (e.g. Alert: Score = 10.00000) ! In
> fact, the
> >> message contains special characters.
> If by "special characters" you mean something other than what you put
> in your alert buffer, you need to make alert static or declare it
> outside of your function. Only the pointer to alert is actually
> queued. Note that alertAdd() does not consume your data before
> returning. It is queued for later use. If you allow other such
> alerts to fire at the same time, you will need multiple buffers too.
> >> For mysql database, barnyard2 cant save the alert with the message so it
> >> save as "Snort: Alert", it noticed that the trouble is of sid-msg.map
> >> gen-msg.map.
> >> Could you please tell me how to solve my problem? How can I get the
> >> correct message and save the alert with it on Snort database?
> >> --
> >> Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> >> một lần, nhưng chưa ai qua nổi quá tam chiêu!!!
> > --
> > Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> > lần, nhưng chưa ai qua nổi quá tam chiêu!!!
> > Try New Relic Now & We'll Send You this Cool Shirt
> > New Relic is the only SaaS-based application performance monitoring
> > that delivers powerful full stack analytics. Optimize and monitor your
> > browser, app, & servers with just a few lines of code. Try New Relic
> > and get this awesome Nerd Life shirt!
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> > Please visit http://blog.snort.org for the latest news about Snort!
Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại một
lần, nhưng chưa ai qua nổi quá tam chiêu!!!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel