[Snort-users] Override alert msg for reputation preprocessor?

Hui cao huica at ...589...
Thu Jul 17 15:28:06 EDT 2014


Hi Duane,

This is done intentionally. If it's a preprocessor or decoder rule, the 
message we want to use is the one that was in snort, not what is in the 
message of the rule, which will be generic if the rule was not 
autogenerated and potentially wrong if it was.

Best,
Hui.

On 07/17/2014 01:24 PM, Duane Howard wrote:
> Hey all, I've enabled alerting for blacklisted events using the 
> reputation preprocessor, but alerts continue to use the message 
> defined in:
> spp_reputation.h
>
> Instead of anything found in gen-msg.map or preproc.rules.
>
> Is there a way to override the message that's sent when writing fast 
> or unified2 alerts? We do some custom processing and I'd like to be 
> able to modify this a bit for our specific use case.
>
> examples:
> spp_reputation.h:
> #define REPUTATION_EVENT_BLACKLIST_STR "(spp_reputation) packets 
> blacklisted"
>
> gen-msg.map:
> 136 || 1 || reputation: Packet is blacklisted
>
> preproc.rules:
> alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; 
> metadata: rule-type preproc ; tag:session,60,seconds; 
> classtype:bad-unknown; )
>
> Actual alert resulting:
> 07/14-02:51:30.229493  [**] [136:1:1] (spp_reputation) packets 
> blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 
> 2] {TCP} XXX.XXX.XXX.XXX:XXXX -> XXX.XXX.XXX.XXX:XXX
>
> I'd like to change "(spp_reputation) packets blacklisted" without 
> needing to recompile, etc.
>
> Thanks,
> Duane
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140717/75fb7dc8/attachment.html>


More information about the Snort-users mailing list