Re: Snort SIDs changed?

[Brian <bmc () snort org>]

On Mon, Aug 23, 2004 at 10:57:47AM -0400, Brian wrote:
> On Fri, Aug 13, 2004 at 05:14:38PM -0600, Sean Brown wrote:
> > Have the SIDs on Snorts website changed? I have SID 108 logged as
> > '(snort_decoder) Unknown Datagram decoding problem!' Yet clicking on
> > the link to the description of that sid in acid it points to
> > http://www.snort.org/snort-db/sid.html?sid=108 which obviously is
> > sid 108 but there the message listed is 'BACKDOOR QAZ Worm Client
> > Login access'
>
> The alert you are looking '(snort_decoder) Unknown Datagram decoding
> problem!' is gen 116, sid 108.
>
> The rule documentation at
> http://www.snort.org/snort-db/sid.html?sid=108 is for gen 1, sid 108. 
>
> Hopefully preprocessor events will have documentation for them soon.
> (We are working on it now.)

Oh, BTW..

This doesn't help you any because the the snort decoder events are not
documented yet, but some documentation preprocessor events are now
available via the web now.

Information for your specific event (gen 116, sid 108), had the
documentation for that preprocessor event been done already, would
have been available here:

    http://www.snort.org/snort-db/sid.html?sid=116:108

Right now, only the http_inspect preprocessor event documentation is
done.   But, we are working on it.  Feel free to contribute.

-b


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users