Re: How to use alertAdd to generate a "variable" alert message?

[Hai Minh Nguyen <lightsea90 () gmail com>]

Thanks, Russ! :) Solved!


On Tue, May 28, 2013 at 9:44 AM, Russ Combs <rcombs () sourcefire com> wrote:

> On Mon, May 27, 2013 at 2:49 PM, Hai Minh Nguyen <lightsea90 () gmail com>
> wrote:
> > Help me, please!
> >
> >
> > On Sat, May 25, 2013 at 11:16 PM, Hai Minh Nguyen <lightsea90 () gmail com>
> > wrote:
> > > Hi,
> > >
> > > I'm using _dpd.alertAdd to raise an alert in my dynamic preprocessor.
> But
> > > I face a problem:
> > >
> > > I ran this code:
> > >
> > > char alert[256];
> > > double score = MyFunction();
> > > sprintf(alert, "Alert: Score = %lf", score);
> > > _dpd.alertAdd(DPX_GID, DPX_DST_SID, 1, 0, 3, alert, 0);
> > >
> > > I'm using 2 output modules to check it: alert_fast and unified2 (to
> mysql
> > > by barnyard2). I checked the result in alert_fast output file but it
> didn't
> > > show the correct alert message (e.g. Alert: Score = 10.00000) ! In
> fact, the
> > > message contains special characters.
> If by "special characters" you mean something other than what you put
> in your alert[] buffer, you need to make alert[] static or declare it
> outside of your function.  Only the pointer to alert[] is actually
> queued.  Note that alertAdd() does not consume your data before
> returning.  It is queued for later use.  If you allow other such
> alerts to fire at the same time, you will need multiple buffers too.
>
> > > For mysql database, barnyard2 cant save the alert with the message so it
> > > save as "Snort: Alert", it noticed that the trouble is of sid-msg.map
> and
> > > gen-msg.map.
> > >
> > > Could you please tell me how to solve my problem? How can I get the
> > > correct message and save the alert with it on Snort database?
> > >
> > > --
> > > Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> > > một lần, nhưng chưa ai qua nổi quá tam chiêu!!!
> >
> >
> >
> >
> > --
> > Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> một
> > lần, nhưng chưa ai qua nổi quá tam chiêu!!!
> ------------------------------------------------------------------------------
> > Try New Relic Now & We'll Send You this Cool Shirt
> > New Relic is the only SaaS-based application performance monitoring
> service
> > that delivers powerful full stack analytics. Optimize and monitor your
> > browser, app, & servers with just a few lines of code. Try New Relic
> > and get this awesome Nerd Life shirt!
> http://p.sf.net/sfu/newrelic_d2d_may
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!



-- 
Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại một
lần, nhưng chưa ai qua nổi quá tam chiêu!!!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!