[Snort-users] alert file XRef URL's

Chapman, Justin T JtChapma at ...8815...
Mon Apr 7 16:45:06 EDT 2003


Hi,

I have recently upgraded to snort 1.9.1 and ran in to a small problem with
the alert files.  Snort used to produce output similar to:

[**] [1:1411:3] SNMP public access udp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/07-16:25:59.767703 0A:0A:0A:0A:0A:0A -> 0B:0B:0B:0B:0B:0B type:0x800
len:0x78
xxx.xxx.xxx.xxx:1084 -> xxx.xxx.xxx.xxx:161 UDP TTL:125 TOS:0x0 ID:64091
IpLen:20 DgmLen:106
Len: 86
[Xref => cve
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0013] 
[Xref => cve
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0012] 
[Xref => cve
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-1999-0517]

Now, for the same alert, the alert file output looks like:

[**] [1:1411:3] SNMP public access udp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/07-16:25:59.767703 0A:0A:0A:0A:0A:0A -> 0B:0B:0B:0B:0B:0B type:0x800
len:0x78
xxx.xxx.xxx.xxx:1084 -> xxx.xxx.xxx.xxx:161 UDP TTL:125 TOS:0x0 ID:64091
IpLen:20 DgmLen:106
Len: 86
[Xref => cve can-2002-0013][Xref => cve can-2002-0012][Xref => cve
can-1999-0517]

It's not URL-izing the cve/arachnids/bid #'s any more...  Is there a config
option that I'm missing?  After googling for a while, I tried the following
additions to snort.conf:

config reference: cve http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachnids http://www.whitehats.com/info/IDS
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://

But that didn't seem to fix it.  Any ideas?

Thanks!

--justin




More information about the Snort-users mailing list