Phil Wood <cpw at ...86...> writes:

> Folks,
> I'm taking a closer look at the alert/log generation.  Actually, I just
> wanted to understand the short message format:
> I was alright until I broke down the [n:n:n] field, and then looked at my
> alerts, and then back at the preprocessor alerts, and then ...
> But, now I'm ok.  I would personally leave out the "(preprocessor)" stuff
> and just let people in on the meaning of the GEN field of the [n:n:n] structure.
> Or, on the otherhand, add in to each msg generated by the snort_engine 
> "(snort_engine)".

That was added so that when people were asking "WTF is this message
coming from... I disabled every single rule I could" , they would have
a bit of knowledge about what part of snort it was coming from.

Most people seem to use either full or sql output.  <sigh>
> Any post processor worth it's salt could index the GEN value into a list of
> generators.  Of course you could argue the same for the SID.

You could. :^).
