[Snort-users] Fast Alert Log Format

Martin Roesch roesch at ...1935...
Mon Mar 4 06:22:08 EST 2002


Here's the breakdown of the SID block:

[1:300001:1]
 ^   ^    ^
 |   |    |
 |   |    +-- Revision number (Rev)
 |   |
 |   +------- Snort ID (SID)
 |
 +----------- Generator ID (GID)

The generator ID is the subsystem within Snort that generated the event.
The references for this data can be found in generators.h, but for the sake
of enlightenment (not the window manager) a GID of 1 means the primary
detection engine generated the event.

The SID is the identification number of the event.  These numbers are unique
to each Snort signature and each detectable event that the preprocessors can
generate.  If you want to find out which signature generated an event, just
grep *.rules for the SID.

The revision number is the version of the rule that went off, as rules are
updated and evolve these numbers will increment.

Hope that helps!

     -Marty


On 3/4/02 1:11 AM, "Bill McCarty" <bmccarty at ...5196...> wrote:

> I'm writing a program to process lines in Snort's Fast Alert Log. However,
> I can't decipher several of the fields.
> 
> Here's a typical log entry:
> 
> 03/03-22:06:32.396957  [**] [1:300001:1] Service Hunt [**] [Classification:
> Misc activity] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:40144 ->
> xxx.xxx.xxx.xxx:21
> 
> Can someone tell me what information can appear in the two fields
> containing asterisks? In my logs I find no entry in which they contain
> anything else.
> 
> And, can someone tell me the meaning of the number preceding the sid
> (3000001) and rule revision number?
> 
> Thanks!
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list