Re: Undocumented SIDs

[Nigel Houghton <nigel () sourcefire com>]

On  0, snort-users-request () lists sourceforge net allegedly wrote:
>    6. Re: Undocumented SIDs (Matt Kettler)
>
> --__--__--
>
> Message: 6
> Date: Thu, 21 Jul 2005 16:47:20 -0400
> From: Matt Kettler <mkettler () evi-inc com>
> To: "Willy, Andrew" <AWilly () eSMIL net>
> CC: "Snort Users (E-mail)" <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Undocumented SIDs
>
> Willy, Andrew wrote:
> > List,
> >
> > Do any of you know off-hand a good place to get information on the alerts
> > that aren't documented, such as OVERSIZE REQUEST-URI DIRECTORY, etc.  I
> > Googled away and did not find anything comprehensive.  
>
> That particular alert is not a rule, but is generated by the http_inspect
> preprocessor. (gen_id 1)

gen_id 1 is the main detection engine which would indicate a rule
generated the event. http_inspect uses gen_ids 119 and 120.

> You should look at docs/README.http_inspect.
 
That is a very good place to start, you can also look at 119-15.txt in
the docs/signatures directory of the snort source.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users