Re: How to proceed

[Ralf Spenneberg <lists () spenneberg org>]

Am Donnerstag, den 10.11.2005, 23:05 -0500 schrieb Kevin Johnson:
> On Thu, 2005-11-10 at 17:29 +0100, Ralf Spenneberg wrote:
> > you configured everything correctly. This is a shortcoming in Base. 
> I hate to disagree... but my understanding is different.
>
> > The alert was generated by a preprocessor and not a signature. Base
> > cannot yet distinguish between these alerts and always tries to lookup a
> > signature at the snort homepage. All sids below 100 definitely are
> > preprocessor alerts and are not accessable through the snort homepage.
>
> Snort does not log the Generator id to the database, so BASE can not
> read it.  A patch was submitted to Sourcefire to include this field in
> the future with a schema change to 107.  So far that patch has not been
> applied.  I know that there is some concern for other projects not
> knowing how to handle that field.
True, I should have said: Shortcoming in Snort/Base combinations. Since
Snort does not log it Base cannot display it. 

Ralf
-- 
Ralf Spenneberg
OpenSource Training                     http://www.opensource-training.de
Webereistr. 1                           48565 Steinfurt           Germany




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users