[Snort-users] new rules, any db changes?

Martin Roesch roesch at ...421...
Fri Mar 16 23:30:07 EST 2001


The db schema and the database plugin have been updated (and commited to
CVS by Jed) to include support for the sp_ref plugin, so all that needs
updating now are the analysis programs (snortsnard, acid, etc).

     -Marty

Kevin.Brown at ...1022... wrote:
> 
> Thanks.  Any idea on when the new db schema will be implemented.  I'm looking
> at the new rules now and I noticed that the reference isn't always a
> number.  I wonder how that would work for searching.
> 
> > > I just downloaded the latest CVS version of snort from
> > > sourceforge and was
> > > looking at the rules.  I noticed that the rules no longer
> > > have the IDS number
> > > as part of the message field.
> >
> > Yup.
> >
> > > So I went looking through the
> > > spo_database.c
> > > file to see if there were any comments regarding a change in
> > > the db format.  I
> > > didn't see any that I could identify.
> >
> > Nope.
> > >  Is the new rules
> > > format going to affect
> > > the current db schema?
> >
> > Yup.
> >
> > Please find attached a diff to spo_database.c (created by Brian Caswell)
> > that concatenates the ref info back into msg so it fits in the current
> > database schema.
> > Also find attached a diff to acid (by me) that parses these new messages
> > (and the old ones for backwards compatibility) so the hyperlinks the
> > whitehats/CVE still work.
> >
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list