[Snort-users] snort 2.8.6.1/base/ barnyard2 unified2 classification_id

Paul Schmehl pschmehl_lists at ...14358...
Fri Sep 3 15:47:53 EDT 2010


--On Thursday, September 02, 2010 17:52:36 -0400 "Lawrence R. Hughes, Sr." 
<lhughes at ...14822...> wrote:

> Hi Paul,
>
> Thanks for your reply, going on your description:
>
> paul> The classification id is "embedded" in the db already.  Each active
> signature
> paul> is registered with its class_id when it's read into snort during
> startup.  When
> paul> a signature triggers, its sig_name ties to all the other values.
>
> I cleared my mysql.log, started barnyard2 then snort.
>
> I checked the mysql.log and it did not show where barnyard did anything you
> mentioned above at startup.
>

Because your database was already populated.

>From line 1371 &ff of spo_database.c

   sig_id = Select(select0, data);

    /* If this signature is detected for the first time
     *  - write the signature
     *  - write the signature's references, classification, priority, id,
     *                          revision number
     * Note: if a signature (identified with a unique text message, revision #)
     *       initially is logged to the DB without references/classification,
     *       but later they are added, this information will _not_ be
     *       stored/updated unless the revision number is changed.
     *       This algorithm is used in order to prevent many DB SELECTs to
     *       verify their presence _every_ time the alert is triggered.
     */
    if(sig_id == 0)
    {
        if(cn != NULL)
        {
            /* classification */
            if(cn->type)
            {
                /* Get the ID # of this classification */
                select1 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1);
                sig_class = snort_escape_string(cn->type, data);

                ret = SnortSnprintf(select1, MAX_QUERY_LENGTH,
                                    "SELECT sig_class_id "
                                    "  FROM sig_class "

And so forth.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-users mailing list