[Snort-sigs] Alerts lacking signature names

David R. Waddell dave.waddell at ...2440...
Fri Jun 25 10:19:00 EDT 2004


We are seeing empty signature names while using the MySQL database output 
module. The empty alerts have signature.sig_sid of 1.

There does not appear to be a normal alert (generator=1) with a sig_sid of 
1 so it appears that the source for these alerts is probably one of the 
other generators (preprocessors).

In the generators.h file (Snort 2.1.3), there appear to be a number of 
alerts defined without a string defined for them. However, the strings for 
all the generators do not appear to be in this file. For the generators 
that have strings listed in this file, the one candidate with a sig_sid of 
1 is: HTTP_DECODE_UNICODE_ATTACK.

The other alarms which appear to lack strings are:
HTTP_DECODE_CGINULL_ATTACK (2 is the sig_sid)
GENERATOR_SPP_FRAG2: FRAG2_MEM_EXCEED (6 is the sig_sid)

Have others run into these problems and is the fix to add strings to the 
generators.h file? If so, where should these problems be reported so that 
the source code is updated?

David Waddell



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self 
defense, top technical experts, no vendor pitches, unmatched networking 
opportunities. Visit www.blackhat.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self 
defense, top technical experts, no vendor pitches, unmatched networking 
opportunities. Visit www.blackhat.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list