Snort mailing list archives
Re: thresholding: How to get the sig_id?
From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Wed, 14 Apr 2004 13:40:29 +0200
Hi Steffen,
I'd like to tune my sensor but don't know how to get right sig_id's for alerts which aren't created by rules. alerts should have the following format [generator:signature:revision] but acid doesn't seem to use this.
forget about acid on this topic... (It is a little bit more complicated than it sounds, but there are several ID's related to signatures. So it is difficult to find the right one. The sig_id acid uses is only an index where you can find the real signature in the database. In the signature table you find to each sig_id a sig_sid. This sig_sid is the sig_id you want...)
Does anyone know how to get the sig_id's easily? The search-engine of snort.org doesn't seem to work properly (for example:I don't find the sig_id if I use "possible EVASIVE RST detection" in the message-field)
The search engine only counts for rules, not for messages generated by a preprocessor. This messages is generated by a preprocessor and normally it should be part of the messages which one it is: "(spp_stream4) possible EVASIVE RST detection" Then you know it is the stream4 preprocessor. So look at snort-2.1.2/src/generators.h and look for SPP_STREAM4: [...] #define GENERATOR_SPP_STREAM4 111 #define STREAM4_STEALTH_ACTIVITY 1 #define STREAM4_EVASIVE_RST 2 #define STREAM4_EVASIVE_RETRANS 3 [...] So here is the generator id (111) and the sig_id (STREAM4_EVASIVE_RST, 2) Best regards Dirk ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- thresholding: How to get the sig_id? Maetzky (extern) (Apr 14)
- Re: thresholding: How to get the sig_id? Dirk Geschke (Apr 14)