Re: How to use alertAdd to generate a "variable" alert message?

[Russ Combs <rcombs () sourcefire com>]

On Mon, May 27, 2013 at 2:49 PM, Hai Minh Nguyen <lightsea90 () gmail com> wrote:
> Help me, please!
>
>
> On Sat, May 25, 2013 at 11:16 PM, Hai Minh Nguyen <lightsea90 () gmail com>
> wrote:
> > Hi,
> >
> > I'm using _dpd.alertAdd to raise an alert in my dynamic preprocessor. But
> > I face a problem:
> >
> > I ran this code:
> >
> > char alert[256];
> > double score = MyFunction();
> > sprintf(alert, "Alert: Score = %lf", score);
> > _dpd.alertAdd(DPX_GID, DPX_DST_SID, 1, 0, 3, alert, 0);
> >
> > I'm using 2 output modules to check it: alert_fast and unified2 (to mysql
> > by barnyard2). I checked the result in alert_fast output file but it didn't
> > show the correct alert message (e.g. Alert: Score = 10.00000) ! In fact, the
> > message contains special characters.
If by "special characters" you mean something other than what you put
in your alert[] buffer, you need to make alert[] static or declare it
outside of your function.  Only the pointer to alert[] is actually
queued.  Note that alertAdd() does not consume your data before
returning.  It is queued for later use.  If you allow other such
alerts to fire at the same time, you will need multiple buffers too.

> > For mysql database, barnyard2 cant save the alert with the message so it
> > save as "Snort: Alert", it noticed that the trouble is of sid-msg.map and
> > gen-msg.map.
> >
> > Could you please tell me how to solve my problem? How can I get the
> > correct message and save the alert with it on Snort database?
> >
> > --
> > Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> > một lần, nhưng chưa ai qua nổi quá tam chiêu!!!
>
>
>
>
> --
> Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại một
> lần, nhưng chưa ai qua nổi quá tam chiêu!!!
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!