#216 local link for signatures of preprocessors

BASE
open
nobody
Interface (166)
5
2009-06-18
2009-06-18
Akos Daniel
No

Someone did an offline link from txt files (snort rules comes with txt files as a description). It works fine, but not with signatures come from preprocessors (where sig_gid is not 1)

in includes/base_signature.inc.php at line 278 there is a limit for sig_sid:

278 /* xxx jl: provided, that there is a subdirectory "signatures/" in $BASE_urlpath */
279 if ( ( is_numeric($sig_id) ) && ($sig_sid >= 103) ) {
280 $ref = $ref.GetSingleSignatureReference("local", $sig_sid, $style);

I added this to see sigs comes from preprocessors:

283 /* and if sid < 103? */
284 if ( ( is_numeric($sig_id) ) && ($sig_sid < 103) ) {
285 $ref = $ref.GetSingleSignatureReference("local", $sig_gid .'-'. $sig_sid, $style);

Seems to be working for me. The emerging rules has no txt files (as description), for that rules local link should not be created.

Cheers,
Akos

Discussion

  • Hello Akos,

    I have rewritten that paragraph in the code. The preprocessor alerts as well as the alerts of any Community rules should now be displayed. But the usual "[local]" link does NOT appear in the signature name field, when the corresponding file can not be found. And the id range for bleeding edge/emerging threats has been excluded.

    Maybe you want to have a look at the new BASE version and check whether it works as expected. For this you will have to download the CVS version of BASE as explained at

    https://sourceforge.net/scm/?type=cvs&group_id=103348

    BASE can then be found under base-php4.

    Bye, bye

    Juergen

    Many thanks for your report.