No subject

Thu Nov 23 16:36:19 EST 2017

    /* If this signature is detected for the first time
     *  - write the signature
     *  - write the signature's references, classification, priority, id,
     *                          revision number
     * Note: if a signature (identified with a unique text message, revision #)
     *       initially is logged to the DB without references/classification,
     *       but later they are added, this information will _not_ be
     *       stored/updated unless the revision number is changed.
     *       This algorithm is used in order to prevent many DB SELECTs to
     *       verify their presence _every_ time the alert is triggered.

I believe since your first signature didn't have a revision, snort left it
null in the DB.  I tried to figure out how it handled that situation in the
code, but I couldn't.  Try incrementing rev to 2 and forcing another alert.  
I bet that will fix it.

Cheers - Erick

More information about the Snort-users mailing list