Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On Thursday, September 02, 2010 17:52:36 -0400 "Lawrence R. Hughes, Sr." 
<lhughes () safemedia com> wrote:

> Hi Paul,
>
> Thanks for your reply, going on your description:
>
> paul> The classification id is "embedded" in the db already.  Each active
> signature
> paul> is registered with its class_id when it's read into snort during
> startup.  When
> paul> a signature triggers, its sig_name ties to all the other values.
>
> I cleared my mysql.log, started barnyard2 then snort.
>
> I checked the mysql.log and it did not show where barnyard did anything you
> mentioned above at startup.

Because your database was already populated.

> From line 1371 &ff of spo_database.c

   sig_id = Select(select0, data);

    /* If this signature is detected for the first time
     *  - write the signature
     *  - write the signature's references, classification, priority, id,
     *                          revision number
     * Note: if a signature (identified with a unique text message, revision #)
     *       initially is logged to the DB without references/classification,
     *       but later they are added, this information will _not_ be
     *       stored/updated unless the revision number is changed.
     *       This algorithm is used in order to prevent many DB SELECTs to
     *       verify their presence _every_ time the alert is triggered.
     */
    if(sig_id == 0)
    {
        if(cn != NULL)
        {
            /* classification */
            if(cn->type)
            {
                /* Get the ID # of this classification */
                select1 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1);
                sig_class = snort_escape_string(cn->type, data);

                ret = SnortSnprintf(select1, MAX_QUERY_LENGTH,
                                    "SELECT sig_class_id "
                                    "  FROM sig_class "

And so forth.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users