Override alert msg for reputation preprocessor?

[Duane Howard <duane.security () gmail com>]

Hey all, I've enabled alerting for blacklisted events using the reputation
preprocessor, but alerts continue to use the message defined in:
spp_reputation.h

Instead of anything found in gen-msg.map or preproc.rules.

Is there a way to override the message that's sent when writing fast or
unified2 alerts? We do some custom processing and I'd like to be able to
modify this a bit for our specific use case.

examples:
spp_reputation.h:
#define REPUTATION_EVENT_BLACKLIST_STR     "(spp_reputation) packets
blacklisted"

gen-msg.map:
136 || 1 || reputation: Packet is blacklisted

preproc.rules:
alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1;
metadata: rule-type preproc ; tag:session,60,seconds;
classtype:bad-unknown; )

Actual alert resulting:
07/14-02:51:30.229493  [**] [136:1:1] (spp_reputation) packets blacklisted
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
XXX.XXX.XXX.XXX:XXXX -> XXX.XXX.XXX.XXX:XXX

I'd like to change "(spp_reputation) packets blacklisted" without needing
to recompile, etc.

Thanks,
Duane

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!