Snort mailing list archives
Re: Override alert msg for reputation preprocessor?
From: Hui cao <huica () cisco com>
Date: Thu, 17 Jul 2014 17:36:35 -0400
You are correct. Best, Hui. On 07/17/2014 05:31 PM, Duane Howard wrote:
Thanks Hui,So I'm reading the answer as, "no, there's no way to override this value without modifying the source and recompiling."./dOn Thu, Jul 17, 2014 at 12:28 PM, Hui cao <huica () cisco com <mailto:huica () cisco com>> wrote:Hi Duane, This is done intentionally. If it's a preprocessor or decoder rule, the message we want to use is the one that was in snort, not what is in the message of the rule, which will be generic if the rule was not autogenerated and potentially wrong if it was. Best, Hui. On 07/17/2014 01:24 PM, Duane Howard wrote:Hey all, I've enabled alerting for blacklisted events using the reputation preprocessor, but alerts continue to use the message defined in: spp_reputation.h Instead of anything found in gen-msg.map or preproc.rules. Is there a way to override the message that's sent when writing fast or unified2 alerts? We do some custom processing and I'd like to be able to modify this a bit for our specific use case. examples: spp_reputation.h: #define REPUTATION_EVENT_BLACKLIST_STR "(spp_reputation) packets blacklisted" gen-msg.map: 136 || 1 || reputation: Packet is blacklisted preproc.rules: alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; tag:session,60,seconds; classtype:bad-unknown; ) Actual alert resulting: 07/14-02:51:30.229493 [**] [136:1:1] (spp_reputation) packets blacklisted [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} XXX.XXX.XXX.XXX:XXXX -> XXX.XXX.XXX.XXX:XXX I'd like to change "(spp_reputation) packets blacklisted" without needing to recompile, etc. Thanks, Duane ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visithttp://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Override alert msg for reputation preprocessor? Duane Howard (Jul 17)
- Re: Override alert msg for reputation preprocessor? Hui cao (Jul 17)
- Re: Override alert msg for reputation preprocessor? Duane Howard (Jul 17)
- Re: Override alert msg for reputation preprocessor? Hui cao (Jul 17)
- Re: Override alert msg for reputation preprocessor? Duane Howard (Jul 17)
- Re: Override alert msg for reputation preprocessor? Hui cao (Jul 17)