diff -r -u SnortSnarf-020126.1.orig/include/SnortSnarf/SnortFileInput.pm SnortSnarf-020126.1/include/SnortSnarf/SnortFileInput.pm --- SnortSnarf-020126.1.orig/include/SnortSnarf/SnortFileInput.pm Sat Jan 26 15:02:09 2002 +++ SnortSnarf-020126.1/include/SnortSnarf/SnortFileInput.pm Wed Mar 13 21:11:36 2002 @@ -74,6 +74,8 @@ return "http://vil.nai.com/vil/dispVirus.asp?virus_k=$id"; } elsif ($cite eq 'url') { return "http://$id"; + } elsif ($cite eq 'sid') { + return "http://www.snort.org/snort-db/sid.html?id=$id"; } else { return undef; } @@ -89,7 +91,9 @@ return ('cve',$1); } elsif (m!http://vil\.nai\.com/vil/dispVirus\.asp\?virus_k=(.*)!) { return ('mcafee',$1); - } elsif (m!http://(.*)!) { + } elsif (m!http://www\.snort\.org/snort-db/sid\.html\?id=(.*)!) { + return ('sid',$1); + } elsif (m!http://(.*)!) { return ('url',$1); } else { return (); @@ -304,7 +308,8 @@ # # the first line just holds the attack id s/^\[\*\*\]\s*//; s/\s*\[\*\*\]\s*$//; - s/\[\d+:\d+:\d+\]//; # discard originator, sid, revision info + s/\[\d+:(\d+):\d+\]//; # discard originator, revision info, capture sid + $refs{'sid'} = $1; $sig = $_; # Note: does not handle preprocessor log output @@ -419,7 +424,8 @@ } s/^\-(\S*)//; $time= $1; - s/\[\d+:\d+:\d+\]//; # discard originator, sid, revision info + s/\[\d+:(\d+):\d+\]//; # discard originator, revision info, capture sid + $refs{'sid'} = $1; if (s/\[Classification\s*:\s*([^\]]+)\]//) { # extract class and priority $classificationtext= $1; } @@ -465,7 +471,8 @@ if (s/\[Priority\s*: (\d+)*\]//) { $prioritynum= $1; } - s/^\[\d+:\d+:\d+\]//; # discard originator, sid, revision info + s/^\[\d+:(\d+):\d+\]//; # discard originator, revision info, capture sid + $refs{'sid'} = $1; $sig= $_; $pkt->set('protocol' => $proto) if defined($proto); } else { # $format eq 'spp_portscan' Only in SnortSnarf-020126.1: snfout.snort.alert