[Snort-users] Definitions of snort signatures

Chris Green cmg at ...671...
Tue Nov 13 06:42:06 EST 2001

"Don Weber" <Don.Weber at ...4063...> writes:

> I am doing a research project, analyzing our schools network for
> attacks, and I am getting good results using snort and snortsnarf.
> But I have no idea what the signatures mean.  Is there any
> documentation anyplace that explains what each signature means and why
> the packet was flagged? 

A good number of the rules have a references field.  This maps to
information about the rule.

The reason packets are flagged is because they match the rule and the
reason the rule was written is often described in the refernces

SnortSnart parses them and provides links or you can look at

#define BUGTRAQ_URL_HEAD   "http://www.securityfocus.com/bid/"
#define CVE_URL_HEAD       "http://cve.mitre.org/cgi-bin/cvename.cgi?name="
#define ARACHNIDS_URL_HEAD "http://www.whitehats.com/info/IDS"
#define MCAFEE_URL_HEAD    "http://vil.nai.com/vil/dispVirus.asp?virus_k="
#define URL_HEAD           "http://"

eg: reference: bugtraq, 1991 -> http://www.securityfocus.com/bid/1991
Chris Green <cmg at ...671...>
Don't use a big word where a diminutive one will suffice.

More information about the Snort-users mailing list