Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Signature numbering significance

From: "Gardner, Warren (IHG)" <Warren.Gardner () ihg com>
Date: Thu, 19 May 2016 15:14:54 +0000

Hello,

I've just begun to investigate some of the Snort signatures blocked by my firewall and don't really understand the 
naming convention and the significance of the numbers. I read the FAQ which simply stated that number must be > 10,000 
for community submitted submissions but that didn't really give me the knowledge I was looking for.

I have seen man of 1:16301:14 attempts on port 80; when I searched the snort DB it returned "Your search returned no 
results". I removed the :14 hoping that might be just a submission or release number and the search returned "1-16301 - 
This event is generated when an attempt is made to exploit a known vulnerability in Internet Explorer". Because it was 
a port 80 request the messaged about an IE vulnerability seemed to make sense (even if it did relate to v5 and v6).

A similar thing happened with 1:21516:9 once I removed the :9 the search returned "This event is generated when an 
attempt is made to exploit a known vulnerability in jboss application server."

My question is what significance to the colon separated values have(if any)? If the snort.org search returns no matches 
to a signature is there anywhere else I can find more information about a signature?



Warren Gardner


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: