[Snort-sigs] Alerts lacking signature names
David R. Waddell
dave.waddell at ...2440...
Tue Jun 22 12:26:06 EDT 2004
We are seeing empty signature names while using the MySQL database output
module. The empty alerts have signature.sig_sid of 1.
There does not appear to be a normal alert (generator=1) with a sig_sid of
1 so it appears that the source for these alerts is probably one of the
other generators (preprocessors).
In the generators.h file (Snort 2.1.3), there appear to be a number of
alerts defined without a string defined for them. However, the strings for
all the generators do not appear to be in this file. For the generators
that have strings listed in this file, the one candidate with a sig_sid of
1 is: HTTP_DECODE_UNICODE_ATTACK.
The other alarms which appear to lack strings are:
HTTP_DECODE_CGINULL_ATTACK (2 is the sig_sid)
GENERATOR_SPP_FRAG2: FRAG2_MEM_EXCEED (6 is the sig_sid)
Have others run into these problems and is the fix to add strings to the
generators.h file? If so, where should these problems be reported so that
the source code is updated?
More information about the Snort-sigs