[Snort-sigs] Alerts lacking signature names

David R. Waddell dave.waddell at ...2440...
Mon Jun 28 10:04:00 EDT 2004


We are seeing empty signature names while using the MySQL database output 
module. The empty alerts have signature.sig_sid of 1.

There does not appear to be a normal alert (generator=1) with a sig_sid of 
1 so it appears that the source for these alerts is probably one of the 
other generators (preprocessors).

In the generators.h file (Snort 2.1.3), there appear to be a number of 
alerts defined without a string defined for them. However, the strings for 
all the generators do not appear to be in this file. For the generators 
that have strings listed in this file, the one candidate with a sig_sid of 
1 is: HTTP_DECODE_UNICODE_ATTACK.

The other alarms which appear to lack strings are:
HTTP_DECODE_CGINULL_ATTACK (2 is the sig_sid)
GENERATOR_SPP_FRAG2: FRAG2_MEM_EXCEED (6 is the sig_sid)

Have others run into these problems and is the fix to add strings to the 
generators.h file? If so, where should these problems be reported so that 
the source code is updated?

David Waddell





More information about the Snort-sigs mailing list