Snort mailing list archives
Re: How to proceed
From: Kevin Johnson <kjohnson () secureideas net>
Date: Thu, 10 Nov 2005 23:05:21 -0500
On Thu, 2005-11-10 at 17:29 +0100, Ralf Spenneberg wrote:
Hi,
Hi-
you configured everything correctly. This is a shortcoming in Base.
I hate to disagree... but my understanding is different.
The alert was generated by a preprocessor and not a signature. Base cannot yet distinguish between these alerts and always tries to lookup a signature at the snort homepage. All sids below 100 definitely are preprocessor alerts and are not accessable through the snort homepage.
Snort does not log the Generator id to the database, so BASE can not read it. A patch was submitted to Sourcefire to include this field in the future with a schema change to 107. So far that patch has not been applied. I know that there is some concern for other projects not knowing how to handle that field.
Ralf
Please correct me if I am wrong, but we are currently holding a patch to fix this once the 107 change goes in. Kevin --------------------- BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis!
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- How to proceed Timothy A. Holmes (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
- Re: How to proceed Kevin Johnson (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)
- Re: How to proceed Kevin Johnson (Nov 10)
- <Possible follow-ups>
- Re: How to proceed Nigel Houghton (Nov 10)
- Re: How to proceed Ralf Spenneberg (Nov 10)