[Snort-users] Override alert msg for reputation preprocessor?

Duane Howard duane.security at ...11827...
Thu Jul 17 17:31:27 EDT 2014


Thanks Hui,

So I'm reading the answer as, "no, there's no way to override this value
without modifying the source and recompiling."

./d


On Thu, Jul 17, 2014 at 12:28 PM, Hui cao <huica at ...589...> wrote:

>  Hi Duane,
>
> This is done intentionally. If it's a preprocessor or decoder rule, the
> message we want to use is the one that was in snort, not what is in the
> message of the rule, which will be generic if the rule was not
> autogenerated and potentially wrong if it was.
>
> Best,
> Hui.
>
>
> On 07/17/2014 01:24 PM, Duane Howard wrote:
>
>  Hey all, I've enabled alerting for blacklisted events using the
> reputation preprocessor, but alerts continue to use the message defined in:
> spp_reputation.h
>
>  Instead of anything found in gen-msg.map or preproc.rules.
>
>  Is there a way to override the message that's sent when writing fast or
> unified2 alerts? We do some custom processing and I'd like to be able to
> modify this a bit for our specific use case.
>
>  examples:
> spp_reputation.h:
> #define REPUTATION_EVENT_BLACKLIST_STR     "(spp_reputation) packets
> blacklisted"
>
>  gen-msg.map:
> 136 || 1 || reputation: Packet is blacklisted
>
>  preproc.rules:
> alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
> metadata: rule-type preproc ; tag:session,60,seconds;
> classtype:bad-unknown; )
>
>  Actual alert resulting:
> 07/14-02:51:30.229493  [**] [136:1:1] (spp_reputation) packets blacklisted
> [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
> XXX.XXX.XXX.XXX:XXXX -> XXX.XXX.XXX.XXX:XXX
>
>  I'd like to change "(spp_reputation) packets blacklisted" without
> needing to recompile, etc.
>
>  Thanks,
> Duane
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.http://p.sf.net/sfu/bds
>
>
>
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140717/b5599f2b/attachment.html>


More information about the Snort-users mailing list