[Snort-users] Finding SIDs in ACID
Michael G. Meskill (MIS)
MGMeskill at ...6961...
Wed Oct 9 07:02:04 EDT 2002
I think I'm overlooking something in ACID, but I can't find the
Signature ID (SID) number on detects in ACID. This would be really
convenient when tuning the IDS. Ex: I see "ICMP Host Unreachable,
Communication Administratively Prohibited" with 2500 detects in 48 hours. I
determine that it's a false pos. and don't want to see them anymore. It
would be nice to get the SID from ACID to plug into Oinkmaster's
"disablesid" line so that it's commented-out on the next sig update.
I guess my question boils down to, "How do I get the SID from an
alert in ACID?" and, "If I can't how can I modify ACID to display SIDs?"
Thanks in advance,
Michael G. Meskill
American Central Transport, Inc.
More information about the Snort-users