Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tagging doesn't set Sig name?

From: Erick Mechler <emechler () techometer net>
Date: Wed, 19 Feb 2003 20:06:26 -0800
:: Then I rebuilt ACID's cache and forced an alert - still get "(34)Unknown Sig
:: Name". 
:: 
:: Does the sid have to be defined somewhere else? 


From src/output-plugins/spo_database.c line 904:


    /* If this signature is detected for the first time
     *  - write the signature
     *  - write the signature's references, classification, priority, id,
     *                          revision number
     * Note: if a signature (identified with a unique text message, revision #)
     *       initially is logged to the DB without references/classification,
     *       but later they are added, this information will _not_ be
     *       stored/updated unless the revision number is changed.
     *       This algorithm is used in order to prevent many DB SELECTs to
     *       verify their presence _every_ time the alert is triggered.
     */

I believe since your first signature didn't have a revision, snort left it
null in the DB.  I tried to figure out how it handled that situation in the
code, but I couldn't.  Try incrementing rev to 2 and forcing another alert.  
I bet that will fix it.

Cheers - Erick


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: