Snort mailing list archives
alert file XRef URL's
From: "Chapman, Justin T" <JtChapma () bhi-erc com>
Date: Mon, 7 Apr 2003 16:40:19 -0700
Hi, I have recently upgraded to snort 1.9.1 and ran in to a small problem with the alert files. Snort used to produce output similar to: [**] [1:1411:3] SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] 04/07-16:25:59.767703 0A:0A:0A:0A:0A:0A -> 0B:0B:0B:0B:0B:0B type:0x800 len:0x78 xxx.xxx.xxx.xxx:1084 -> xxx.xxx.xxx.xxx:161 UDP TTL:125 TOS:0x0 ID:64091 IpLen:20 DgmLen:106 Len: 86 [Xref => cve http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0013] [Xref => cve http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0012] [Xref => cve http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-1999-0517] Now, for the same alert, the alert file output looks like: [**] [1:1411:3] SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] 04/07-16:25:59.767703 0A:0A:0A:0A:0A:0A -> 0B:0B:0B:0B:0B:0B type:0x800 len:0x78 xxx.xxx.xxx.xxx:1084 -> xxx.xxx.xxx.xxx:161 UDP TTL:125 TOS:0x0 ID:64091 IpLen:20 DgmLen:106 Len: 86 [Xref => cve can-2002-0013][Xref => cve can-2002-0012][Xref => cve can-1999-0517] It's not URL-izing the cve/arachnids/bid #'s any more... Is there a config option that I'm missing? After googling for a while, I tried the following additions to snort.conf: config reference: cve http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= config reference: arachnids http://www.whitehats.com/info/IDS config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= config reference: url http:// But that didn't seem to fix it. Any ideas? Thanks! --justin ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert file XRef URL's Chapman, Justin T (Apr 07)
- Re: alert file XRef URL's Chris Green (Apr 10)