Snort mailing list archives
Re: where is a faq/info on alerts
From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Fri, 6 Aug 2004 09:25:22 -0500 (CDT)
Hm. I was surprised - I could not find the answer anywhere in the {snort}/doc subdirectory of my snort-2.1.1 installation, nor in the manual or the FAQ at www.snort.org/docs . Maybe it's me. As I recall, the format [xx:yy:zz] expands to xx = source module; 1 = standard snort rule, other numbers for various preprocessors (http_inspect,e.g.) yy = sid configured into the snort rule generating the alert, or subsidiary alert type if from a preprocessor; zz = rev configured into the snort rule. So the alert Aug 6 09:17:38 foo.rice.edu snort: [ID 702911 local0.alert] [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 213.188.215.26 -> 128.42.163.104 was generated by the standard snort rule with sid 469 and rev 1. More data can be found by looking up the rule: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;) ; more data can be found in later versions of snort in the distributed files {snort}/doc/signatures/469.txt, and the reference to "arachnids" is a shorthand which is explained in section 2.4.2 of the Snort users manual. -g On Thu, 5 Aug 2004, Turnquist,Wayne wrote:
Date: Thu, 5 Aug 2004 21:38:46 -0500 From: "Turnquist,Wayne" <WayneTurnquist () catholichealth net> To: snort-users () lists sourceforge net Subject: [Snort-users] where is a faq/info on alerts where do i find info on alert that shows up in the log snort [xx:yy:ww] can someone point me to a faq on the numbering scheme of these alerts i need a good starting point so i can understand/search for these alerts thanks wt
Glenn Forbes Fleming Larratt Rice University Networking glratt () rice edu ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- where is a faq/info on alerts Turnquist,Wayne (Aug 05)
- Re: where is a faq/info on alerts Glenn Forbes Fleming Larratt (Aug 06)