Thu Nov 23 16:36:19 EST 2017
/* If this signature is detected for the first time
* - write the signature
* - write the signature's references, classification, priority, id,
* revision number
* Note: if a signature (identified with a unique text message, revision #)
* initially is logged to the DB without references/classification,
* but later they are added, this information will _not_ be
* stored/updated unless the revision number is changed.
* This algorithm is used in order to prevent many DB SELECTs to
* verify their presence _every_ time the alert is triggered.
I believe since your first signature didn't have a revision, snort left it
null in the DB. I tried to figure out how it handled that situation in the
code, but I couldn't. Try incrementing rev to 2 and forcing another alert.
I bet that will fix it.
Cheers - Erick
More information about the Snort-users