Snort mailing list archives
Re: what is this mean?
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 13 Aug 2002 00:09:20 -0400
Offhand I can't tell you what the first number (the 1) is, but the second and third are the signature ID (SID) and revision of the rule that caused the alert. There might be multiple rules with the same message, but there should never be two rules with the same SID.
so the SID of the rule is 1721, and it's revision 3 of the rule. if you look at the rule (in web-cgi.rules)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI adcycle access"; flags:A+; uricontent:"/adcycle"; nocase; classtype:web-application-activity; sid:1721; rev:3;)
the sid and rev are the last two parts. At 11:21 AM 8/13/2002 +0800, SW wrote:
Hi,I am new to snort. I am wondering what is the [1:1721:3] mean in the following alert file:[**] [1:1721:3] WEB-CGI adcycle access [**] Thanks SW
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- what is this mean? SW (Aug 12)
- Re: what is this mean? Matt Kettler (Aug 12)
- Re: what is this mean? Vinay A. Mahadik (Aug 13)
- Re: what is this mean? Matt Kettler (Aug 12)