Snort mailing list archives

Re: Alerts including gen_id and sig_id?

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Sun, 16 Apr 2017 19:07:53 +0000

You can find them all in the preproc_rules/preprocessor.rules file.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com 







On 4/16/17, 12:42 PM, "Paul Guijt" <paul.guijt () gmail com> wrote:

Hi All,

I have alerts like 

      [**] [129:12:1] Consecutive TCP small segments exceeding threshold
[**]
      [Classification: Potentially Bad Traffic] [Priority: 2]
      04/16-07:26:27.202693 192.168.178.100:2049 -> 192.168.178.28:698
      TCP TTL:64 TOS:0x0 ID:25253 IpLen:20 DgmLen:180 DF
      ***AP*** Seq: 0x33FFC114  Ack: 0x29CB4BB5  Win: 0x6000  TcpLen: 32
      TCP Options (3) => NOP NOP TS: 1978513079 3620817

and want to deduce the related gen_id and sig_id to construct a suppress
rule. 

Do I understand correctly that the '129' is (always) the gen_id and the '12'
is (always) the sig_id? 

If not, how can I find them anyway? 

Thanks!
Paul




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Alerts including gen_id and sig_id? Paul Guijt (Apr 16)
- Re: Alerts including gen_id and sig_id? wkitty42 (Apr 16)
- Re: Alerts including gen_id and sig_id? Al Lewis (allewi) (Apr 16)