Hi again Neil,
     All of the dispositional data for a successful detect is kept in
the OTNs. Here's the struct:

typedef struct _OptTreeNode
{
    /* plugin/detection functions go here */
    OptFpList *opt_func;

    void *ds_list[512]; /* list of plugin data struct pointers */

    int chain_node_number; /* bookkeeping/debug data */

    int type; /* alert, log, or pass */
    int proto; /* protocol, added for integrity checks
                            during rule parsing */

    int session_flag; /* record session data */

    char *logto; /* log file in which to write packets which
                            match this rule*/

    char *message; /* alert message */

    u_int8_t stateless; /* this rule can fire regardless of session
state */

    Event event_data;

    TagData *tag; /* info for tagging this event if necessary */

    /* stuff for dynamic rules activation/deactivation */
    int active_flag;
    int activation_counter;
    int countdown;
    int activates;
    int activated_by;

    struct _OptTreeNode *OTN_activation_ptr;
    struct _RuleTreeNode *RTN_activation_ptr;

    struct _OptTreeNode *next;
    struct _RuleTreeNode *rtn;

} OptTreeNode;

     -Marty

ndesai01tampabay.rr.com wrote:
>
> According to the documentation snort will first search
> the RTN's and if a match is found then it will go down
> the OTN's. Does snort put information that is not
> related to the packet in the OTN as well (i.e. will msg,
> logto, reference)? Thanks.
> Neil

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roeschsourcefire.com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]