[Discussion] Text in Msgs

• Previous message (by thread): [Discussion] Text in Msgs
• Next message (by thread): [Discussion] Text in Msgs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2008-10-27 at 11:25 -0400, Matt Jonkman wrote:
> Would anyone be interested in the ability to insert captured text into
> the alert text of an event?

No, that's a bad idea (at least if you talk about Snort). If you create
new/different message texts, Snort will create a new entry in the
signature table (unique to msg+gid+sid+rev). Also, you would not get the
same text with barnyard or in barnyard (and probably flop) based
installs since BY only reports the sid (the msg is pulled from the
sid-msg.map file).

While you could of course fork barnyard, my concern would be the bloat
of the signature table due to unique msg texts.

-Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081027/27b44ac6/attachment.sig>

• Previous message (by thread): [Discussion] Text in Msgs
• Next message (by thread): [Discussion] Text in Msgs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]