[Snort-users] alerts with "[Xref => arachnids" tag bunched together in Snort alert file

Lawrence Reed Lawrence.Reed at ...1444...
Thu Oct 10 14:20:02 EDT 2002


Here is a change I made to 1.9.0 beta 6 for this problem.

I am currently using the alert file with full format and noticed that 
alerts with Xrefs do not have a blank line after them.   Here is a small 
patch I use to get the blank lines more consistant.


--- src/log.c    Fri Jun 21 09:55:06 2002
+++ src-new/log.c    Mon Aug 19 10:08:50 2002
@@ -1680,7 +1680,8 @@
 * Returns: void function
 */
void PrintXrefs(FILE *fp, int do_newline)
-{
+{  +    int checknewline = 0;
    ReferenceNode *refNode = NULL;

    if(otn_tmp)
@@ -1691,7 +1692,9 @@
        {
            FPrintReference(fp, refNode);
            refNode = refNode->next;
+            checknewline = 1;
        }
+        if ( do_newline && checknewline ) fprintf(fp,"\n");
    }
}




murcsu murcsu at ...2146... wrote:

>I searched the archives but didn't see any mention of this.
>
>Since I upgraded to Snort 1.9, the alerts with the "[Xref => arachnids" 
>tag are bunched together without a blank line separating them.
>
>[**] [1:566:3] POLICY PCAnywhere server response [**]
>[Classification: Misc activity] [Priority: 3] 
>10/09-17:37:23.059980 a.b.c.d:44100 -> w.x.y.z:5632
>UDP TTL:116 TOS:0x0 ID:15491 IpLen:20 DgmLen:30
>Len: 10
>[Xref => arachnids 239]
>[**] [1:480:2] ICMP PING speedera [**]
>[Classification: Misc activity] [Priority: 3] 
>10/09-17:40:11.503608 a.b.c.d -> w.x.y.z
>ICMP TTL:49 TOS:0x0 ID:38604 IpLen:20 DgmLen:84
>Type:8  Code:0  ID:7693   Seq:59926  ECHO
>
>The alerts without the Xref tag display with whitespace between them.
>
>[**] [1:1002:5] WEB-IIS cmd.exe access [**]
>[Classification: Web Application Attack] [Priority: 1] 
>10/09-23:22:12.196847 a.b.c.d:4876 -> w.x.y.z:80
>TCP TTL:117 TOS:0x0 ID:39095 IpLen:20 DgmLen:136 DF
>***AP*** Seq: 0x48142058  Ack: 0x71F0399B  Win: 0x2238  TcpLen: 20
> 
>[**] [1:1002:5] WEB-IIS cmd.exe access [**]
>[Classification: Web Application Attack] [Priority: 1] 
>10/09-23:22:12.259297 a.b.c.d:4888 -> w.x.y.z:80
>TCP TTL:117 TOS:0x0 ID:44471 IpLen:20 DgmLen:157 DF
>***AP*** Seq: 0x48198BD7  Ack: 0x71F0FC90  Win: 0x2238  TcpLen: 20
>
>SnortSnarf apparently uses the whitespace as a delimiter, so it will 
>display a group of alerts bunched together as a single alert.
>
>Has anyone else run into this problem?
>
>My sensors are running OpenBSD 3.0.  Snort 1.9 was built from source.  
>My reporting machine is running SnortSnarf-020516.1 on Solaris 8.  
>Snort 1.9 was built from source.
>
>My Snort command:
>/usr/local/bin/snort -c /root/snort/snort.conf -h w.x.y.z/24 -i \
>fxp1 -A full -b -D
>
>My SnortSnarf command:
>/usr/local/bin/snortsnarf.pl -d $DMZ/10/10/ -ldir \
>https://reporter/dmz/2002/10/10/ -homenet w.x.y.z/24 $DMZ/10/10/alert
>
>Thanks.
>  
>






More information about the Snort-users mailing list