Snort mailing list archives

Re: setting threshold for snort signatures

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 15 Apr 2004 13:10:46 -0400

At 08:40 AM 4/15/2004, agnelo d wrote:

     I need to set thresholds for snort rules.
The parameters are:

gen_id  gen-id  <------ what is this gen-id
sig_id  sig-id
type    limit, threshold, both
track   by_src, by_dst
count   n
seconds m

Pls. can someone tell me what is this gen-id.


Generator ID.. It's the first number in the alert lines generated by snort.

For rules it's always 1. Alerts generated by preprocessors have other numbers.

For example:
[1:1070:6] WEB-MISC WebDAV search access [**]

The bracketed numbers are [generator:SID:revison] for normal rules.

If you read gen-msg.map you can find generator:SID combinations for thepreprocessors.

ie: in 2.1.0 stream4 is generator 111. and [111:1:*] is "spp_stream4:Stealth Activity Detected"





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

setting threshold for snort signatures agnelo d (Apr 15)
- Re: setting threshold for snort signatures Guillaume Arcas (Apr 15)
- Re: setting threshold for snort signatures Matt Kettler (Apr 15)