[Snort-users] what is this mean?
mkettler at ...4108...
Mon Aug 12 21:10:02 EDT 2002
Offhand I can't tell you what the first number (the 1) is, but the second
and third are the signature ID (SID) and revision of the rule that caused
the alert. There might be multiple rules with the same message, but there
should never be two rules with the same SID.
so the SID of the rule is 1721, and it's revision 3 of the rule.
if you look at the rule (in web-cgi.rules)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
adcycle access"; flags:A+; uricontent:"/adcycle"; nocase;
classtype:web-application-activity; sid:1721; rev:3;)
the sid and rev are the last two parts.
At 11:21 AM 8/13/2002 +0800, SW wrote:
>I am new to snort. I am wondering what is the [1:1721:3] mean in the
>following alert file:
>[**] [1:1721:3] WEB-CGI adcycle access [**]
More information about the Snort-users