Snort mailing list archives

RE: Obtain CVE id from unix sock output of Snort

From: "Biswas, Proneet" <pbiswas () iPolicyNet COM>
Date: Tue, 3 Feb 2004 09:39:03 -0800

Hi,
  Is there any tool which correlates the Snort alerts with Nessus data ?
Thanks.

-----Original Message-----
From: Matteo [mailto:matteo () genhome org]
Sent: Tuesday, February 03, 2004 2:33 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Obtain CVE id from unix sock output of Snort


Hello all,
I'm writing a little prog that read the data from the snort unisx dom 
socket and I need to retrieve, if it's presente, the cve code from 
the reference of the alert.

I'm reading a structure like 

typedef struct _Event {
 u_int32_t sig_generator; 
 u_int32_t sig_id; 
 u_int32_t sig_rev; 
 u_int32_t classification; 
 u_int32_t priority; 
 u_int32_t event_id; 
 u_int32_t event_reference;
 struct timeval ref_time; 
} Event;

/* alert socket code */
typedef struct _Snortpkt {
 u_int8_t alertmsg[ALERTMSG_LENGTH];
 struct timeval ts;
 u_int32_t caplen;
 u_int32_t len;
 u_int32_t dlthdr; 
 u_int32_t nethdr; 
 u_int32_t transhdr; 
 u_int32_t data;
 u_int32_t val; 
#define NOPACKET_STRUCT 0x1
#define NO_TRANSHDR 0x2
 u_int8_t pkt[SNAPLEN];
 Event event;
} Snortpkt;


how could I obtain the CVE from here?

Thankx all,

---------------------------------------------------------------------
Matteo Poropat
  + homepage:   http://www.genhome.org
  + software:   http://www.genhome.org/genhome/soft_vari.html

Fanzine "MEMORIE dal BUIO"
  + homepage:   http://www.genhome.org/memoriedalbuio/default.html
  + mail list:  http://it.groups.yahoo.com/group/memoriedalbuio
----------------------------------------------------------------------

---------------------------------------------------------------------
Matteo Poropat
  + homepage:   http://www.genhome.org
  + software:   http://www.genhome.org/genhome/soft_vari.html

Fanzine "MEMORIE dal BUIO"
  + mail list:  http://it.groups.yahoo.com/group/memoriedalbuio
  + homepage:   http://www.genhome.org/memoriedalbuio/default.html
----------------------------------------------------------------------




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Obtain CVE id from unix sock output of Snort Matteo (Feb 03)
- Re: Obtain CVE id from unix sock output of Snort Brian (Feb 03)
- <Possible follow-ups>
- RE: Obtain CVE id from unix sock output of Snort Biswas, Proneet (Feb 03)
  - Re: Obtain CVE id from unix sock output of Snort Brian (Mar 01)