Snort Preprocessors

[Sheppard Martin Contr AFRL/IFGA <Martin.Sheppard () rl af mil>]

Hello all,

The Snort site provides information regarding various alerts that are
generated by the rules contained in the rules files.  My question is:  Is
there a good source of information regarding the alerts that the
preprocessors/modules generate and why each alert is generated?  I recently
had an alert generated from the http_inspect module and had to "go to the
code"  to figure out the exact reason the alert was generated.  This took a
bit more time than it could have if I had documentation about the alert or
(If such a data source exists)  the knowledge of where to find the list.
Optimally, a reference list for the modules is desirable.  Also, While I am
sending this message, I preload the references from the rules files into a
database to allow an analyst to browse to reference web sites related to
various alerts.  At the present time I use the signature id and fill in the
database with a Snort reference.  However, sometimes the Snort site does not
contain reference information.  From my point of view it would be desirable
to have a snort reference in the rules file for signatures that have
references at snort.org.  Anyone have the same desire?  And oh, by the way,
are port lists in the near future?  Sorry for the long email)  

Thanks in advance for any pointers)

Marty.


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users