[Snort-users] Obtain CVE id from unix sock output of Snort

Biswas, Proneet pbiswas at ...10875...
Tue Feb 3 20:16:10 EST 2004


Hi,
  Is there any tool which correlates the Snort alerts with Nessus data ?
Thanks.

-----Original Message-----
From: Matteo [mailto:matteo at ...11123...]
Sent: Tuesday, February 03, 2004 2:33 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Obtain CVE id from unix sock output of Snort


Hello all,
I'm writing a little prog that read the data from the snort unisx dom 
socket and I need to retrieve, if it's presente, the cve code from 
the reference of the alert.

I'm reading a structure like 

typedef struct _Event {
 u_int32_t sig_generator; 
 u_int32_t sig_id; 
 u_int32_t sig_rev; 
 u_int32_t classification; 
 u_int32_t priority; 
 u_int32_t event_id; 
 u_int32_t event_reference;
 struct timeval ref_time; 
} Event;

/* alert socket code */
typedef struct _Snortpkt {
 u_int8_t alertmsg[ALERTMSG_LENGTH];
 struct timeval ts;
 u_int32_t caplen;
 u_int32_t len;
 u_int32_t dlthdr; 
 u_int32_t nethdr; 
 u_int32_t transhdr; 
 u_int32_t data;
 u_int32_t val; 
#define NOPACKET_STRUCT 0x1
#define NO_TRANSHDR 0x2
 u_int8_t pkt[SNAPLEN];
 Event event;
} Snortpkt;


how could I obtain the CVE from here?

Thankx all,

---------------------------------------------------------------------
Matteo Poropat
  + homepage:	http://www.genhome.org
  + software:	http://www.genhome.org/genhome/soft_vari.html

Fanzine "MEMORIE dal BUIO"
  + homepage:	http://www.genhome.org/memoriedalbuio/default.html
  + mail list:	http://it.groups.yahoo.com/group/memoriedalbuio
----------------------------------------------------------------------

---------------------------------------------------------------------
Matteo Poropat
  + homepage:	http://www.genhome.org
  + software:	http://www.genhome.org/genhome/soft_vari.html

Fanzine "MEMORIE dal BUIO"
  + mail list:	http://it.groups.yahoo.com/group/memoriedalbuio
  + homepage:	http://www.genhome.org/memoriedalbuio/default.html
----------------------------------------------------------------------




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040203/7d57b51b/attachment.html>


More information about the Snort-users mailing list