RE: Question about rule numbers and Syslog

["Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>]

Thanks for the info.  I found the rev number in the mysql table signature.
Any idea where I might find the generator numbers in the mysql database for
snort.

Shawn

-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com]
Sent: October 25, 2004 1:31 PM
To: Truax, Shawn (MBS); snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question about rule numbers and Syslog


At 01:10 PM 10/25/2004, Truax, Shawn (MBS) wrote:
> When you receive a syslog message from Snort it gives a rule number of 
> #:###:#. For example 1:255:8 is DNS Zone Transfer TCP.  I know that the 
> middle number is the sid for the rule.  My question is what are the other 
> 2 numbers, where do they come from and are they in the acid database
anywhere.

The first number is the generator. See the generators file that comes with 
snort for a list.

generator 1 is the rule subsystem. Other generators are the preprocessors 
(ie: spp_portscan, etc)

In the case of the rule subsystem, the other two numbers are the sid and 
revision of the rule. Thus in the above it was sid:255; rev:8 that fired.

In the other generators, the second number designates which particular 
alert the preprocessor is generating. What this number means is specific to 
the given preprocessor.  see gen-msg.map for a list of messages for 
generators other than 1. For generators other than 1 the third is unused 
and always 1. (at least AFAIK).