Snort mailing list archives
Alerts including gen_id and sig_id?
From: "Paul Guijt" <paul.guijt () gmail com>
Date: Sun, 16 Apr 2017 18:42:44 +0200
Hi All, I have alerts like [**] [129:12:1] Consecutive TCP small segments exceeding threshold [**] [Classification: Potentially Bad Traffic] [Priority: 2] 04/16-07:26:27.202693 192.168.178.100:2049 -> 192.168.178.28:698 TCP TTL:64 TOS:0x0 ID:25253 IpLen:20 DgmLen:180 DF ***AP*** Seq: 0x33FFC114 Ack: 0x29CB4BB5 Win: 0x6000 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1978513079 3620817 and want to deduce the related gen_id and sig_id to construct a suppress rule. Do I understand correctly that the '129' is (always) the gen_id and the '12' is (always) the sig_id? If not, how can I find them anyway? Thanks! Paul ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alerts including gen_id and sig_id? Paul Guijt (Apr 16)
- Re: Alerts including gen_id and sig_id? wkitty42 (Apr 16)
- Re: Alerts including gen_id and sig_id? Al Lewis (allewi) (Apr 16)