Re: Incorrect SID 108

[Todd Wease <twease () sourcefire com>]

On Wed, 2006-11-01 at 09:11 +0900, Ian Masters wrote:
>  > What version of Snort are you using and what web interface are you
> > using?  
> >
> > Both alerts have the same SID; however, they each have a different
> > generator id (GID).  It sounds like whatever web interface you are using
> > is not taking the GID into account when creating the link.
>
> I'm using Snort Version 2.3.2 (Build 12) and  ACID v0.9.6b23.
>
> Why is it necessary for two alerts to have the same SID?

SIDs are grouped under GIDs.  For the events produced by the rules, the
GID is 1.  For events produced by other parts of Snort such as the
preprocessors and decoder the GID is different.  The GID lets you know
what part of the system produced the event.  Look at gen-msg.map where
you keep your snort.conf.

It is advisable that you upgrade you version of Snort and use BASE
(which is based on ACID) instead of ACID since ACID hasn't been
supported for quite some time.

Todd


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users