[Snort-users] snort 22.214.171.124/base/ barnyard2 unified2 classification_id
pschmehl_lists at ...14358...
Fri Sep 3 15:47:53 EDT 2010
--On Thursday, September 02, 2010 17:52:36 -0400 "Lawrence R. Hughes, Sr."
<lhughes at ...14822...> wrote:
> Hi Paul,
> Thanks for your reply, going on your description:
> paul> The classification id is "embedded" in the db already. Each active
> paul> is registered with its class_id when it's read into snort during
> startup. When
> paul> a signature triggers, its sig_name ties to all the other values.
> I cleared my mysql.log, started barnyard2 then snort.
> I checked the mysql.log and it did not show where barnyard did anything you
> mentioned above at startup.
Because your database was already populated.
>From line 1371 &ff of spo_database.c
sig_id = Select(select0, data);
/* If this signature is detected for the first time
* - write the signature
* - write the signature's references, classification, priority, id,
* revision number
* Note: if a signature (identified with a unique text message, revision #)
* initially is logged to the DB without references/classification,
* but later they are added, this information will _not_ be
* stored/updated unless the revision number is changed.
* This algorithm is used in order to prevent many DB SELECTs to
* verify their presence _every_ time the alert is triggered.
if(sig_id == 0)
if(cn != NULL)
/* classification */
/* Get the ID # of this classification */
select1 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1);
sig_class = snort_escape_string(cn->type, data);
ret = SnortSnprintf(select1, MAX_QUERY_LENGTH,
"SELECT sig_class_id "
" FROM sig_class "
And so forth.
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
More information about the Snort-users