Re: Fwd: [Snort-Users] snort signature code

[Steven Sturges <ssturges () sourcefire com>]

This code allows Snort to print a meaningful url related to a short
reference value that is specified in a rule.  The meaning of each of
the reference names (cve, bugtraq, etc) are specified in reference.config.

For example, if a rule has "reference:cve,2010-0000;"

When Snort generates an alert where it includes reference information,
that gets expanded to 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0000

Hope this helps.

On 6/10/11 1:00 PM, Joel Esler wrote:
> Begin forwarded message:
>
> > *From: *nashwa salah <nashwasalah8 () gmail com
> > <mailto:nashwasalah8 () gmail com>>
> > *Date: *June 10, 2011 12:03:52 PM EDT
> > *To: *Snort-Users <snortusers () googlegroups com
> > <mailto:snortusers () googlegroups com>>
> > *Subject: **[Snort-Users] snort signature code*
> > *mime-version: *1.0
> > *user-agent: *G2/1.0
> >
> > i want to know what this code mean or what that main function of it in
> > signature file:
> >
> > ReferenceSystemNode * ReferenceSystemAdd(ReferenceSystemNode **head,
> > char *name, char *url)
> > {
> > ReferenceSystemNode *node;
> >
> > if (name == NULL)
> > {
> > ErrorMessage("NULL reference system name\n");
> > return NULL;
> > }
> >
> > if (head == NULL)
> > return NULL;
> >
> > /* create the new node */
> > node = (ReferenceSystemNode
> > *)SnortAlloc(sizeof(ReferenceSystemNode));
> >
> > node->name = SnortStrdup(name);
> > if (url != NULL)
> > node->url = SnortStrdup(url);
> >
> > /* Add to the front of the list */
> > node->next = *head;
> > *head = node;
> >
> > return node;
> > }
> >
> > ReferenceSystemNode * ReferenceSystemLookup(ReferenceSystemNode *head,
> > char *name)
> > {
> > if (name == NULL)
> > return NULL;
> >
> > while (head != NULL)
> > {
> > if (strcasecmp(name, head->name) == 0)
> > break;
> >
> > head = head->next;
> > }
> >
> > return head;
> > }
> >
> > --
> > To post to this group, send email to snortusers () googlegroups com
> > <mailto:snortusers () googlegroups com>
> >
> > For more information, please visit http://www.snort.org
>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel