[Snort-users] spo_database oddity

Steve Halligan agent33 at ...187...
Thu May 3 13:34:28 EDT 2001

1) A rule triggers that has reference info.
2) ref info is properly added to the database for the signature in #1.
3) The next alert comes from a preprocessor.
4) The ref info from #2 that applies to alert in #1 is added to the database
for the signature create for #3.
5) All preprocessor generated alerts after this also get the ref info from
#2, until a rule based alert happens with no ref info.  If a rule based
alert happens with and different ref, the preprocssor alerts log with the
new ref.

This has been seen with spp_portscan.  I have not tested the other
preprocessors, but a quick look through the code suggests to me that it
should effect all preprocessor generated alerts.  This happens with
spo_database. Syslog and logfile logging do not have this behavior. Other
log types have not been tested.  It appears to me the the value of otn_temp
not getting reset and then getting called by spo_database for all alerts
(including preprocessor ones) is the problem.

Snort 1.8 (CVS from yesterday)

How to reproduce:
1)  Trigger an alert with ref info (I just did a
http://www.webserver.com/../../ to one of my webservers)
2)  Quickly nmap -p 1-10 ipaddress (you need a limited scan that wont
trigger any rule based alerts)

Of course you need to have spp_portscan connected to the alert facility.

More information about the Snort-users mailing list