[Snort-users] Parsing SID field

Erek Adams erek at ...950...
Tue Jun 3 13:59:05 EDT 2003


On Tue, 3 Jun 2003, Todd A. Jacobs wrote:

> In an alert file, I can't figure out what the first field of the SID
> record is telling me. For example:
>
> 	[1:1002:5]
>
> is SID 1002, Revision 5. But what is the 1 telling me?

Generator ID from generators.h.

    1  /* $Id: generators.h,v 1.33 2003/03/31 13:12:58 chrisgreen Exp $ */

[...snip...]

    23  #define GENERATOR_SNORT_ENGINE        1

[...snip...]

Or simply 'what part of the program actually caused the alert to fire
off.'

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list