[Snort-users] what is this mean?

Matt Kettler mkettler at ...4108...
Mon Aug 12 21:10:02 EDT 2002


Offhand I can't tell you what the first number (the 1) is, but the second 
and third are the signature ID (SID) and revision of the rule that caused 
the alert. There might be multiple rules with the same message, but there 
should never be two rules with the same SID.


so the SID of the rule is 1721, and it's revision 3 of the rule.

if you look at the rule (in web-cgi.rules)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI 
adcycle access"; flags:A+; uricontent:"/adcycle"; nocase; 
classtype:web-application-activity; sid:1721;  rev:3;)

the sid and rev are the last two parts.

At 11:21 AM 8/13/2002 +0800, SW wrote:
>Hi,
>
>I am new to snort. I am wondering what is the [1:1721:3] mean in the 
>following alert file:
>
>[**] [1:1721:3] WEB-CGI adcycle access [**]
>
>Thanks
>SW





More information about the Snort-users mailing list