Snort mailing list archives
RE: Parsing SID field
From: Tinsley Paul <Paul.Tinsley () HCAhealthcare com>
Date: Tue, 3 Jun 2003 15:59:21 -0500
Somebody please correct me if the below information is incorrect, and sorry
about the formatting but I yanked this from a script.
#example message IP's x'd out to protect the innocent:
#[1:2087:2] SMTP From comment overflow attempt [Classification: Attempted
Administrator Privilege Gain] [Priority: 1]: <eth2> {TCP}
xxx.xx.xxx.xxx:37422 -> xxx.xx.xx.xx:25
#message format:
#[1:2:3] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [Classification: bbbbbbbbbbbbb]
[Priority: c]: <i> {ddd} eee.eee.eee.eee:fffff -> ggg.ggg.ggg.ggg:hh
#1 - GID (engine that caught the signature) [integer]
#2 - SID (Signature ID) [integer]
#3 - REV (Revision of the Signature) [integer]
#a - Signature Short Description [text]
#b - Classification (Ex: Information Gain, Remote Root) [text]
#c - Priority [integer]
#d - Protocol (Ex: TCP, UDP) [text]
#e - Source IP [IP octets]
#f - Souce Port [integer]
#g - Dest. IP [IP octets]
#h - Dest. Port [integer]
#i - Ethernet Interface [text]
-----Original Message-----
From: Todd A. Jacobs [mailto:nospam () codegnome org]
Sent: Tuesday, June 03, 2003 3:26 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Parsing SID field
In an alert file, I can't figure out what the first field of the SID
record is telling me. For example:
[1:1002:5]
is SID 1002, Revision 5. But what is the 1 telling me?
--
The DMCA is anti-consumer. The RIAA has no right to rewrite copyright
laws to suit themselves.
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Parsing SID field Todd A. Jacobs (Jun 03)
- Re: Parsing SID field Erek Adams (Jun 03)
- Re: Parsing SID field Erick Mechler (Jun 03)
- Re: Parsing SID field Brian (Jun 03)
- Re: Parsing SID field Jeff Nathan (Jun 03)
- <Possible follow-ups>
- RE: Parsing SID field Tinsley Paul (Jun 03)