[Snort-sigs] event_id

Matt Kettler mkettler at ...189...
Fri Oct 10 12:39:07 EDT 2003


At 11:08 AM 10/10/2003, Martin Jr., D. Michael wrote:
>What does the "event_id" in the snort log refer to?
>
>Example:
>10/09-18:17:15.481756  ICMP src: 192.168.102.11 dst: 192.168.104.47
>type: 8 code: 0 tgts: 19 event_id: 38
>
>Any guidance would be appreciated.  (I would also like to not what the
>"type" and "code" means as well)


I suspect that event_id is just a counter of events that snort has alerted 
on. My setup of snort doesn't log these, so I don't know exactly what it's 
about.


"type" and "code" are a part of the ICMP packet format, and are information 
about the original packet that snort alerted on.

ICMP messages are specified for several different types, and each type has 
codes defined under it.

In this packet type 8 is echo request.. aka ping request. Code 0 is the 
only code for type 8.

Another common ICMP message type is type 3, which is destination 
unreachable. There are 16 different codes for type 3, which define 
different reasons as to why the destination was unreachable. Code 0 is 
network unreachable, whereas code 3 is port unreachable, and 13 is 
administratively prohibited by filtering.


If you need details about ICMP, RFC 792 specifies the basics of ICMP, but 
many of the ICMP message defenitions are scattered across a bunch of 
different RFCs. This site seems to have most of the references you might 
want handy in one spot.
http://www.networksorcery.com/enp/protocol/icmp.htm

RFC 1700, the RFC of assigned numbers by IANA is also handy.






More information about the Snort-sigs mailing list