Re: alerts with "[Xref => arachnids" tag bunched together in Snort alert file

["Lawrence Reed" <Lawrence.Reed () noaa gov>]

Here is a change I made to 1.9.0 beta 6 for this problem.

I am currently using the alert file with full format and noticed that 
alerts with Xrefs do not have a blank line after them.   Here is a small 
patch I use to get the blank lines more consistant.


--- src/log.c    Fri Jun 21 09:55:06 2002
+++ src-new/log.c    Mon Aug 19 10:08:50 2002
@@ -1680,7 +1680,8 @@
* Returns: void function
*/
void PrintXrefs(FILE *fp, int do_newline)
-{
+{  +    int checknewline = 0;
   ReferenceNode *refNode = NULL;

   if(otn_tmp)
@@ -1691,7 +1692,9 @@
       {
           FPrintReference(fp, refNode);
           refNode = refNode->next;
+            checknewline = 1;
       }
+        if ( do_newline && checknewline ) fprintf(fp,"\n");
   }
}




murcsu murcsu () mail com wrote:

> I searched the archives but didn't see any mention of this.
>
> Since I upgraded to Snort 1.9, the alerts with the "[Xref => arachnids" 
> tag are bunched together without a blank line separating them.
>
> [**] [1:566:3] POLICY PCAnywhere server response [**]
> [Classification: Misc activity] [Priority: 3] 
> 10/09-17:37:23.059980 a.b.c.d:44100 -> w.x.y.z:5632
> UDP TTL:116 TOS:0x0 ID:15491 IpLen:20 DgmLen:30
> Len: 10
> [Xref => arachnids 239]
> [**] [1:480:2] ICMP PING speedera [**]
> [Classification: Misc activity] [Priority: 3] 
> 10/09-17:40:11.503608 a.b.c.d -> w.x.y.z
> ICMP TTL:49 TOS:0x0 ID:38604 IpLen:20 DgmLen:84
> Type:8  Code:0  ID:7693   Seq:59926  ECHO
>
> The alerts without the Xref tag display with whitespace between them.
>
> [**] [1:1002:5] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1] 
> 10/09-23:22:12.196847 a.b.c.d:4876 -> w.x.y.z:80
> TCP TTL:117 TOS:0x0 ID:39095 IpLen:20 DgmLen:136 DF
> ***AP*** Seq: 0x48142058  Ack: 0x71F0399B  Win: 0x2238  TcpLen: 20
>
> [**] [1:1002:5] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1] 
> 10/09-23:22:12.259297 a.b.c.d:4888 -> w.x.y.z:80
> TCP TTL:117 TOS:0x0 ID:44471 IpLen:20 DgmLen:157 DF
> ***AP*** Seq: 0x48198BD7  Ack: 0x71F0FC90  Win: 0x2238  TcpLen: 20
>
> SnortSnarf apparently uses the whitespace as a delimiter, so it will 
> display a group of alerts bunched together as a single alert.
>
> Has anyone else run into this problem?
>
> My sensors are running OpenBSD 3.0.  Snort 1.9 was built from source.  
> My reporting machine is running SnortSnarf-020516.1 on Solaris 8.  
> Snort 1.9 was built from source.
>
> My Snort command:
> /usr/local/bin/snort -c /root/snort/snort.conf -h w.x.y.z/24 -i \
> fxp1 -A full -b -D
>
> My SnortSnarf command:
> /usr/local/bin/snortsnarf.pl -d $DMZ/10/10/ -ldir \
> https://reporter/dmz/2002/10/10/ -homenet w.x.y.z/24 $DMZ/10/10/alert
>
> Thanks.
>  




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users