[Snort-users] Parsing SID field

Tinsley Paul Paul.Tinsley at ...9244...
Tue Jun 3 14:01:02 EDT 2003

Somebody please correct me if the below information is incorrect, and sorry
about the formatting but I yanked this from a script.

#example message IP's x'd out to protect the innocent:
#[1:2087:2] SMTP From comment overflow attempt [Classification: Attempted
Administrator Privilege Gain] [Priority: 1]: <eth2> {TCP}
xxx.xx.xxx.xxx:37422 -> xxx.xx.xx.xx:25
#message format:
#[1:2:3] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [Classification: bbbbbbbbbbbbb]
[Priority: c]: <i> {ddd} eee.eee.eee.eee:fffff -> ggg.ggg.ggg.ggg:hh
#1 - GID (engine that caught the signature) [integer]
#2 - SID (Signature ID) [integer]
#3 - REV (Revision of the Signature) [integer]
#a - Signature Short Description [text]
#b - Classification (Ex: Information Gain, Remote Root) [text]
#c - Priority [integer]
#d - Protocol (Ex: TCP, UDP) [text]
#e - Source IP [IP octets]
#f - Souce Port [integer]
#g - Dest. IP [IP octets]
#h - Dest. Port [integer]
#i - Ethernet Interface [text]

-----Original Message-----
From: Todd A. Jacobs [mailto:nospam at ...9368...]
Sent: Tuesday, June 03, 2003 3:26 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Parsing SID field

In an alert file, I can't figure out what the first field of the SID 
record is telling me. For example:


is SID 1002, Revision 5. But what is the 1 telling me? 

The DMCA is anti-consumer. The RIAA has no right to rewrite copyright
laws to suit themselves.

This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list