Snort mailing list archives
Re: setting threshold for snort signatures
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 15 Apr 2004 13:10:46 -0400
At 08:40 AM 4/15/2004, agnelo d wrote:
I need to set thresholds for snort rules. The parameters are: gen_id gen-id <------ what is this gen-id sig_id sig-id type limit, threshold, both track by_src, by_dst count n seconds m Pls. can someone tell me what is this gen-id.
Generator ID.. It's the first number in the alert lines generated by snort. For rules it's always 1. Alerts generated by preprocessors have other numbers. For example: [1:1070:6] WEB-MISC WebDAV search access [**] The bracketed numbers are [generator:SID:revison] for normal rules.If you read gen-msg.map you can find generator:SID combinations for the preprocessors.
ie: in 2.1.0 stream4 is generator 111. and [111:1:*] is "spp_stream4: Stealth Activity Detected"
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- setting threshold for snort signatures agnelo d (Apr 15)
- Re: setting threshold for snort signatures Guillaume Arcas (Apr 15)
- Re: setting threshold for snort signatures Matt Kettler (Apr 15)