[Snort-sigs] Question on alert formats.

Daniel Swan swan_daniel at ...76...
Sun Aug 19 18:41:24 EDT 2001

Some time ago, I wrote "snort2html", a program that parses alerts and outputs them to a nicely formatted HTML page.

Over time as snort and alert formats have changed, my program has become increasingly less useful.  Now that it is time to revisit the issue, and update my program, I find some of the alert formats to be somewhat unstandardized.

As an example, I would like to provide these two alerts:

Aug 14 10:43:08 h24-64-249-20 snort[12945]: [1:1243:1]  WEB-IIS ISAPI .ida attem
pt [Classification: Attempted Administrator Privilege Gain   Priority: 10]: 24.6
4.224.161:4472 ->

Aug 14 10:44:43 h24-64-249-20 snort[12945]: ICMP Destination Unreachable (Commun
ication Administratively Prohibited) [1:485:1] : ->

Note, the [1:???:1] portion comes after the description in one, and before the description in another.

Of course, I'd like to avoid writing too many different regexps for various different standards... are there any plans to make these alerts consistent?

Also, what does the [1:???:1] refer to?


--== Sent via Deja.com ==--

More information about the Snort-sigs mailing list