Snort mailing list archives
Re: Rule ID question
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 16 Sep 2010 11:30:23 -0400
On 9/16/2010 10:32, Bobby Venal wrote:
Hi all, Noob question here, but I saw an alert with the following: "SID: 9003461.1: SMTP Content-Type overflow attempt" When I search /etc/sid-msg.map, I find this entry: "3461 || SMTP Content-Type overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx" What is that prepended "900" in the log entry? I thought it might be GID, but I'm not seeing "900" in my gen-msg.map file.
GID entries would have another colon trailing the GID number (ie: 1: for the normal text rules in the *.rules files)... what is your environment configuration? are you using any database type processing capabilities like barnyard or similar? where did you see that alert? in the (raw?) snort alert log file or somewhere else? if somewhere else, how was it processed to display there? ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule ID question Bobby Venal (Sep 16)
- Re: Rule ID question waldo kitty (Sep 16)