[Snort-users] spo_database oddity
agent33 at ...187...
Thu May 3 13:34:28 EDT 2001
1) A rule triggers that has reference info.
2) ref info is properly added to the database for the signature in #1.
3) The next alert comes from a preprocessor.
4) The ref info from #2 that applies to alert in #1 is added to the database
for the signature create for #3.
5) All preprocessor generated alerts after this also get the ref info from
#2, until a rule based alert happens with no ref info. If a rule based
alert happens with and different ref, the preprocssor alerts log with the
This has been seen with spp_portscan. I have not tested the other
preprocessors, but a quick look through the code suggests to me that it
should effect all preprocessor generated alerts. This happens with
spo_database. Syslog and logfile logging do not have this behavior. Other
log types have not been tested. It appears to me the the value of otn_temp
not getting reset and then getting called by spo_database for all alerts
(including preprocessor ones) is the problem.
Snort 1.8 (CVS from yesterday)
How to reproduce:
1) Trigger an alert with ref info (I just did a
http://www.webserver.com/../../ to one of my webservers)
2) Quickly nmap -p 1-10 ipaddress (you need a limited scan that wont
trigger any rule based alerts)
Of course you need to have spp_portscan connected to the alert facility.
More information about the Snort-users