Re: Rule ID question

[waldo kitty <wkitty42 () windstream net>]

On 9/16/2010 10:32, Bobby Venal wrote:
> Hi all,
>
> Noob question here, but I saw an alert with the following:
>
> "SID: 9003461.1: SMTP Content-Type overflow attempt"
>
> When I search /etc/sid-msg.map, I find this entry:
>
> "3461 || SMTP Content-Type overflow attempt || bugtraq,7419 ||
> cve,2003-0113 ||
> url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx"
>
> What is that prepended "900" in the log entry?  I thought it might be
> GID, but I'm not seeing "900" in my gen-msg.map file.

GID entries would have another colon trailing the GID number (ie: 1: for the 
normal text rules in the *.rules files)...

what is your environment configuration? are you using any database type 
processing capabilities like barnyard or similar?

where did you see that alert? in the (raw?) snort alert log file or somewhere 
else? if somewhere else, how was it processed to display there?


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users