Alert messages and rule identification

[Subba Rao <subba9 () home com>]

My snort alert file has only these entries so far.

-----------------------------------------------------------
[**] ICMP Destination Unreachable (Undefined Code!) [**]
05/17-06:51:34.581889 Z.Z.Z.77 -> X.X.X.36
ICMP TTL:253 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
X.X.X.36:63586 -> D.D.D.213:53
UDP TTL:125 TOS:0x0 ID:29521 IpLen:20 DgmLen:64
Len: 44
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
05/17-06:51:38.578669 C.C.C.157 -> X.X.X.36
ICMP TTL:253 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
X.X.X.36:63587 -> D.D.D.214:53
UDP TTL:125 TOS:0x0 ID:32081 IpLen:20 DgmLen:57
Len: 37
** END OF DUMP
-----------------------------------------------------------

The original datagram says it is a DNS query. I get notified via ICMP
that the destination is unreachable. This looks normal to me. How do I
find out which rule has triggered this alert. I am not going to remove
that alert but will modify my DNS resolution.

Is there a way to make snort dump the rule ID along with the alert dump?

Any info appreciated.

TIA.
-- 

Subba Rao
subba9 () home com
http://members.home.net/subba9/

GPG public key ID 27FC9217

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users