Custom dynamic preprocessor - How to display alert message passed to alertAdd func?

[Jan Hermes <jan.hermes () hotmail de>]

Hello,

I built a dynamic preprocessor and would like it to create several 
specific alert messages. Let me give you a short example with some 
fictional assumptions:

- the preproc parses specific protocols that are not native for snort

- let's say the protocol is: [src_address, dest_address, src_user_name]

- the preprocessor parses all this information from the packet

- if the src_user_name equals "bad_intruder", I want an alert to be 
generated (of course the easified concatenation and comparison of 
strings is only for better reading):
------------------------------------------------------

if (parsed.src_user_name == "bad_intruder") {

     gid=100000; sid=9000000; revision=1; classification=0; priority=3; 
rule_info=0;

     msg=src_user_name + " attacks " + dest_address;

      _dpd.alertAdd(gid, sid, revision, classification, priority, msg, 
rule_info); }
-------------------------------------------------------

- the local.rules file has this entry:
        alert (sid: 9000000; gid: 100000; msg: "alarm"; rev: 1 )

- the output I get from the alert detection is:
         09/21-13:30:18.178080  [**] [100000:9000000:1] alarm [**]

- But I would like it to display the way I passed it within the 
preprocessor's code, e.g.:

         09/21-13:30:18.178080  [**] [100000:9000000:1] bad_intruder 
attacks 172.223.9.151 [**]


How can I achieve this? I already tried to omit the message in the 
local.rules which leaves me without any message at all..

Thanks,
Jan



------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!