[Snort-users] what is this mean?

Vinay A. Mahadik VAMahadik at ...6245...
Tue Aug 13 17:22:07 EDT 2002


Matt Kettler wrote:
> 
> Offhand I can't tell you what the first number (the 1) is, but the second

It's the signature generator sig_generator :

> grep sig_generator *.h
event.h:    u_int32_t sig_generator;   /* which part of snort generated
the alert? */

> grep sig_generator *.c
log.c:                        (unsigned long) event->sig_generator,
log.c:                        (unsigned long) event->sig_generator,
log.c:                    (unsigned long) event->sig_generator,
log.c:    event->sig_generator = generator;
rules.c:    otn_tmp->event_data.sig_generator = GENERATOR_SNORT_ENGINE;
spo_SnmpTrap.c:    if     (event->sig_generator ==
GENERATOR_SPP_PORTSCAN) 
spo_SnmpTrap.c:    if (event->sig_generator == GENERATOR_SPP_PORTSCAN)
spo_alert_syslog.c:                    (unsigned long)
event->sig_generator,
spo_idmef.c:    switch(event->sig_generator)
spo_unified.c:        logheader.event.sig_generator =
event->sig_generator;
spo_unified.c:        printf("gen: %u\n",
logheader.event.sig_generator);
spo_unified.c:        alertdata.event.sig_generator =
event->sig_generator;

And from log.c :

void AlertFull(Packet * p, char *msg, FILE * file, Event *event)
{
    char timestamp[TIMEBUF_SIZE];

    if(msg != NULL)
    {
        fwrite("[**] ", 5, 1, file);

        if(event != NULL)
        {
                fprintf(file, "[%lu:%lu:%lu] ", 
                        (unsigned long) event->sig_generator,
                        (unsigned long) event->sig_id, 
                        (unsigned long) event->sig_rev);
        }
...


--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-users mailing list