Snort mailing list archives

Previous By Date Next
Previous By Thread Next

alert file XRef URL's

From: "Chapman, Justin T" <JtChapma () bhi-erc com>
Date: Mon, 7 Apr 2003 16:40:19 -0700
Hi,

I have recently upgraded to snort 1.9.1 and ran in to a small problem with
the alert files.  Snort used to produce output similar to:

[**] [1:1411:3] SNMP public access udp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/07-16:25:59.767703 0A:0A:0A:0A:0A:0A -> 0B:0B:0B:0B:0B:0B type:0x800
len:0x78
xxx.xxx.xxx.xxx:1084 -> xxx.xxx.xxx.xxx:161 UDP TTL:125 TOS:0x0 ID:64091
IpLen:20 DgmLen:106
Len: 86
[Xref => cve
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0013] 
[Xref => cve
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0012] 
[Xref => cve
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-1999-0517]

Now, for the same alert, the alert file output looks like:

[**] [1:1411:3] SNMP public access udp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/07-16:25:59.767703 0A:0A:0A:0A:0A:0A -> 0B:0B:0B:0B:0B:0B type:0x800
len:0x78
xxx.xxx.xxx.xxx:1084 -> xxx.xxx.xxx.xxx:161 UDP TTL:125 TOS:0x0 ID:64091
IpLen:20 DgmLen:106
Len: 86
[Xref => cve can-2002-0013][Xref => cve can-2002-0012][Xref => cve
can-1999-0517]

It's not URL-izing the cve/arachnids/bid #'s any more...  Is there a config
option that I'm missing?  After googling for a while, I tried the following
additions to snort.conf:

config reference: cve http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachnids http://www.whitehats.com/info/IDS
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://

But that didn't seem to fix it.  Any ideas?

Thanks!

--justin


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: