[Snort-devel] generators[.h]

Chris Green cmg at ...835...
Tue Oct 22 18:54:03 EDT 2002


Phil Wood <cpw at ...86...> writes:

> Folks,
>
> I'm taking a closer look at the alert/log generation.  Actually, I just
> wanted to understand the short message format:
>
> MM/DD-HH:MM:SS.UUUUUU  [**] [GEN:SID:REV] msg [**] {PROTO} SADDR:SPORT -> DADDR:DPORT
>
> I was alright until I broke down the [n:n:n] field, and then looked at my
> alerts, and then back at the preprocessor alerts, and then ...
>
> But, now I'm ok.  I would personally leave out the "(preprocessor)" stuff
> and just let people in on the meaning of the GEN field of the [n:n:n] structure.
> Or, on the otherhand, add in to each msg generated by the snort_engine 
> "(snort_engine)".

That was added so that when people were asking "WTF is this message
coming from... I disabled every single rule I could" , they would have
a bit of knowledge about what part of snort it was coming from.

Most people seem to use either full or sql output.  <sigh>
>
> Any post processor worth it's salt could index the GEN value into a list of
> generators.  Of course you could argue the same for the SID.

You could. :^).
-- 
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-devel mailing list