[Discussion] Text in Msgs
Frank Knobbe
frank at knobbe.us
Mon Oct 27 16:16:49 UTC 2008
On Mon, 2008-10-27 at 11:25 -0400, Matt Jonkman wrote:
> Would anyone be interested in the ability to insert captured text into
> the alert text of an event?
No, that's a bad idea (at least if you talk about Snort). If you create
new/different message texts, Snort will create a new entry in the
signature table (unique to msg+gid+sid+rev). Also, you would not get the
same text with barnyard or in barnyard (and probably flop) based
installs since BY only reports the sid (the msg is pulled from the
sid-msg.map file).
While you could of course fork barnyard, my concern would be the bloat
of the signature table due to unique msg texts.
-Frank
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081027/27b44ac6/attachment.sig>
More information about the Discussion
mailing list