[Snort-users] SnortSnarf patch for www.snort.org/snort-db

Owen Crow ocrow at ...5054...
Thu Mar 14 19:33:01 EST 2002


Attached is a quick patch I made to add a link to the new snort-db on
www.snort.org.  Now, along with "arachnids", "bugtraq", "cve", etc.
there will be a [sid] link next to signatures.

Pretty easy to hack in thanks to the in-line docs and structure of the
code.

This was only tested minimally on a full alert file so YMMV.

Regards,
Owen
-------------- next part --------------
diff -r -u SnortSnarf-020126.1.orig/include/SnortSnarf/SnortFileInput.pm SnortSnarf-020126.1/include/SnortSnarf/SnortFileInput.pm
--- SnortSnarf-020126.1.orig/include/SnortSnarf/SnortFileInput.pm       Sat Jan 26 15:02:09 2002
+++ SnortSnarf-020126.1/include/SnortSnarf/SnortFileInput.pm    Wed Mar 13 21:11:36 2002
@@ -74,6 +74,8 @@
         return "http://vil.nai.com/vil/dispVirus.asp?virus_k=$id";
     } elsif ($cite eq 'url') {
         return "http://$id";
+    } elsif ($cite eq 'sid') {
+        return "http://www.snort.org/snort-db/sid.html?id=$id";
     } else {
         return undef;
     }
@@ -89,7 +91,9 @@
         return ('cve',$1);
     } elsif (m!http://vil\.nai\.com/vil/dispVirus\.asp\?virus_k=(.*)!) {
         return ('mcafee',$1);
-   } elsif (m!http://(.*)!) {
+    } elsif (m!http://www\.snort\.org/snort-db/sid\.html\?id=(.*)!) {
+        return ('sid',$1);
+    } elsif (m!http://(.*)!) {
         return ('url',$1);
     } else {
         return ();
@@ -304,7 +308,8 @@
         #
         # the first line just holds the attack id
         s/^\[\*\*\]\s*//; s/\s*\[\*\*\]\s*$//;
-        s/\[\d+:\d+:\d+\]//; # discard originator, sid, revision info
+        s/\[\d+:(\d+):\d+\]//; # discard originator, revision info, capture sid
+        $refs{'sid'} = $1;
         $sig = $_;
             # Note: does not handle preprocessor log output

@@ -419,7 +424,8 @@
         }
         s/^\-(\S*)//;
         $time= $1;
-        s/\[\d+:\d+:\d+\]//; # discard originator, sid, revision info
+        s/\[\d+:(\d+):\d+\]//; # discard originator, revision info, capture sid
+        $refs{'sid'} = $1;
         if (s/\[Classification\s*:\s*([^\]]+)\]//) { # extract class and priority
             $classificationtext= $1;
         }
@@ -465,7 +471,8 @@
         if (s/\[Priority\s*: (\d+)*\]//) {
             $prioritynum= $1;
         }
-        s/^\[\d+:\d+:\d+\]//; # discard originator, sid, revision info
+        s/^\[\d+:(\d+):\d+\]//; # discard originator, revision info, capture sid
+        $refs{'sid'} = $1;
         $sig= $_;
         $pkt->set('protocol' => $proto) if defined($proto);
     } else { # $format eq 'spp_portscan'


More information about the Snort-users mailing list