Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: thresholding: How to get the sig_id?

From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Wed, 14 Apr 2004 13:40:29 +0200
Hi Steffen,


I'd like to tune my sensor but don't know how to get right sig_id's for
alerts which aren't created by rules.

alerts should have the following format [generator:signature:revision]
but acid doesn't seem to use this.


forget about acid on this topic... (It is a little bit more
complicated than it sounds, but there are several ID's related
to signatures. So it is difficult to find the right one. The
sig_id acid uses is only an index where you can find the real
signature in the database. In the signature table you find to
each sig_id a sig_sid. This sig_sid is the sig_id you want...)


Does anyone know how to get the sig_id's easily?

The search-engine of snort.org doesn't seem to work properly (for
example:I don't find the sig_id if I use "possible EVASIVE RST
detection" in the message-field)


The search engine only counts for rules, not for messages generated
by a preprocessor. This messages is generated by a preprocessor and
normally it should be part of the messages which one it is:

"(spp_stream4) possible EVASIVE RST detection"

Then you know it is the stream4 preprocessor. 

So look at snort-2.1.2/src/generators.h and look for SPP_STREAM4:

[...]
#define GENERATOR_SPP_STREAM4       111
#define     STREAM4_STEALTH_ACTIVITY            1
#define     STREAM4_EVASIVE_RST                 2
#define     STREAM4_EVASIVE_RETRANS             3
[...]

So here is the generator id (111) and the sig_id (STREAM4_EVASIVE_RST, 2)

Best regards

Dirk



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: