[Snort-devel] Custom dynamic preprocessor - How to display alert message passed to alertAdd func?

Jan Hermes jan.hermes at ...3632...
Wed Sep 21 09:56:38 EDT 2016


Hello,

I built a dynamic preprocessor and would like it to create several 
specific alert messages. Let me give you a short example with some 
fictional assumptions:

- the preproc parses specific protocols that are not native for snort

- let's say the protocol is: [src_address, dest_address, src_user_name]

- the preprocessor parses all this information from the packet

- if the src_user_name equals "bad_intruder", I want an alert to be 
generated (of course the easified concatenation and comparison of 
strings is only for better reading):
------------------------------------------------------

if (parsed.src_user_name == "bad_intruder") {

     gid=100000; sid=9000000; revision=1; classification=0; priority=3; 
rule_info=0;

     msg=src_user_name + " attacks " + dest_address;

      _dpd.alertAdd(gid, sid, revision, classification, priority, msg, 
rule_info); }
-------------------------------------------------------

- the local.rules file has this entry:
        alert (sid: 9000000; gid: 100000; msg: "alarm"; rev: 1 )

- the output I get from the alert detection is:
         09/21-13:30:18.178080  [**] [100000:9000000:1] alarm [**]

- But I would like it to display the way I passed it within the 
preprocessor's code, e.g.:

         09/21-13:30:18.178080  [**] [100000:9000000:1] bad_intruder 
attacks 172.223.9.151 [**]


How can I achieve this? I already tried to omit the message in the 
local.rules which leaves me without any message at all..

Thanks,
Jan





More information about the Snort-devel mailing list