Question on GID 116 (multiple

[Noah Dietrich <noah_dietrich () 86penny org>]

Hello,
I'm working on updating the Snort3 Splunk plugin (for normalizing and
adding data to Snort3 alerts in Splunk), and I have a question regarding
GID 116.

when I run  *snort --list-gids*, i see that there are multiple entries for
GID 116:

noah@snort3:~$ snort --list-gids
105: back_orifice
106: rpc_decode
112: arp_spoof
116: arp
116: auth
116: ciscometadata
116: decode
116: erspan2
116: erspan3
116: esp
116: eth
116: fabricpath
116: gre
116: gtp
116: icmp4
116: icmp6
116: igmp
...

Is there a reason for this duplication (are these all part of the same set
of decoders or something)?  I also see this for GID 133 as well.

The reason i ask is because i'm configuring lookups to add
relevant information to the search results in Splunk (adding the name of
the decoder/preprocessor to each event), and this makes it more difficult.
For example, in my results i have two alerts with GID 116 showing the
following msg:
(icmp4) ICMP ping Nmap
(tcp) TCP SYN with FIN

i assume that i'm looking at the icmp4 and tcp decoders within GID 116, but
i wanted to make sure

Thanks
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!