Snort mailing list archives
Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Fri, 03 Sep 2010 14:47:53 -0500
--On Thursday, September 02, 2010 17:52:36 -0400 "Lawrence R. Hughes, Sr." <lhughes () safemedia com> wrote:
Hi Paul, Thanks for your reply, going on your description: paul> The classification id is "embedded" in the db already. Each active signature paul> is registered with its class_id when it's read into snort during startup. When paul> a signature triggers, its sig_name ties to all the other values. I cleared my mysql.log, started barnyard2 then snort. I checked the mysql.log and it did not show where barnyard did anything you mentioned above at startup.
Because your database was already populated.
From line 1371 &ff of spo_database.c
sig_id = Select(select0, data); /* If this signature is detected for the first time * - write the signature * - write the signature's references, classification, priority, id, * revision number * Note: if a signature (identified with a unique text message, revision #) * initially is logged to the DB without references/classification, * but later they are added, this information will _not_ be * stored/updated unless the revision number is changed. * This algorithm is used in order to prevent many DB SELECTs to * verify their presence _every_ time the alert is triggered. */ if(sig_id == 0) { if(cn != NULL) { /* classification */ if(cn->type) { /* Get the ID # of this classification */ select1 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_class = snort_escape_string(cn->type, data); ret = SnortSnprintf(select1, MAX_QUERY_LENGTH, "SELECT sig_class_id " " FROM sig_class " And so forth. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Paul Schmehl (Sep 02)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Paul Schmehl (Sep 03)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
- Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Paul Schmehl (Sep 02)