[Snort-users] help

Chapman, Justin T JtChapma at ...8815...
Thu Apr 10 14:29:04 EDT 2003

I think it goes [<sensorID>:<signatureID>:<signatureRevision>]  

-----Original Message-----
From: li wei [mailto:kkndguy at ...125...] 
Sent: Wednesday, April 09, 2003 2:59 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] help

hi, all!
  i use snort-1.9.1 in openbsd3.3.When i read the alert file,i found 
somthing like that :
      [**] [1:615:3] SCAN SOCKS Proxy attempt [**]
      [Classification: Attempted Information Leak] [Priority: 2]
      04/09-11:11:10.440280 ->
      TCP TTL:128 TOS:0x0 ID:55820 IpLen:20 DgmLen:48 DF
      ******S* Seq: 0xA62138F7  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
      TCP Options (4) => MSS: 1460 NOP NOP SackOK
      [Xref => url help.undernet.org/proxyscan/]
what's "[1:615:3]" means in the message? There is sting like that in evey 
message.So , what's the string means?
    All the best,

More information about the Snort-users mailing list