Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: where is a faq/info on alerts

From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Fri, 6 Aug 2004 09:25:22 -0500 (CDT)
Hm. I was surprised - I could not find the answer anywhere in the
{snort}/doc subdirectory of my snort-2.1.1 installation, nor in the
manual or the FAQ at www.snort.org/docs . Maybe it's me.

As I recall, the format [xx:yy:zz] expands to

        xx = source module; 1 = standard snort rule, other numbers for
                various preprocessors (http_inspect,e.g.)

        yy = sid configured into the snort rule generating the alert, or
                subsidiary alert type if from a preprocessor;

        zz = rev configured into the snort rule.

So the alert

Aug  6 09:17:38 foo.rice.edu snort: [ID 702911 local0.alert] [1:469:1] ICMP PING NMAP [Classification: Attempted 
Information Leak] [Priority: 2]: {ICMP} 213.188.215.26 -> 128.42.163.104

was generated by the standard snort rule with sid 469 and rev 1. More data
can be found by looking up the rule:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; 
classtype:attempted-recon; sid:469; rev:1;)

; more data can be found in later versions of snort in the distributed
files {snort}/doc/signatures/469.txt, and the reference to "arachnids"
is a shorthand which is explained in section 2.4.2 of the Snort users
manual.

        -g

On Thu, 5 Aug 2004, Turnquist,Wayne wrote:


Date: Thu, 5 Aug 2004 21:38:46 -0500
From: "Turnquist,Wayne" <WayneTurnquist () catholichealth net>
To: snort-users () lists sourceforge net
Subject: [Snort-users] where is a faq/info on alerts

where do i find info on alert that shows up in the log

snort [xx:yy:ww]

can someone point me to a faq on the numbering scheme of these alerts

i need a good starting point so i can understand/search for these alerts


thanks
wt



                                Glenn Forbes Fleming Larratt
                                Rice University Networking
                                glratt () rice edu


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: