mkettler at ...189...
Fri Oct 10 12:39:07 EDT 2003
At 11:08 AM 10/10/2003, Martin Jr., D. Michael wrote:
>What does the "event_id" in the snort log refer to?
>10/09-18:17:15.481756 ICMP src: 192.168.102.11 dst: 192.168.104.47
>type: 8 code: 0 tgts: 19 event_id: 38
>Any guidance would be appreciated. (I would also like to not what the
>"type" and "code" means as well)
I suspect that event_id is just a counter of events that snort has alerted
on. My setup of snort doesn't log these, so I don't know exactly what it's
"type" and "code" are a part of the ICMP packet format, and are information
about the original packet that snort alerted on.
ICMP messages are specified for several different types, and each type has
codes defined under it.
In this packet type 8 is echo request.. aka ping request. Code 0 is the
only code for type 8.
Another common ICMP message type is type 3, which is destination
unreachable. There are 16 different codes for type 3, which define
different reasons as to why the destination was unreachable. Code 0 is
network unreachable, whereas code 3 is port unreachable, and 13 is
administratively prohibited by filtering.
If you need details about ICMP, RFC 792 specifies the basics of ICMP, but
many of the ICMP message defenitions are scattered across a bunch of
different RFCs. This site seems to have most of the references you might
want handy in one spot.
RFC 1700, the RFC of assigned numbers by IANA is also handy.
More information about the Snort-sigs