[Snort-users] thresholding: How to get the sig_id?

Steffen Maetzky (extern) Steffen.Maetzky at ...11508...
Wed Apr 14 02:57:11 EDT 2004


I'd like to tune my sensor but don't know how to get right sig_id's for
alerts which aren't created by rules.

alerts should have the following format [generator:signature:revision]
but acid doesn't seem to use this.

Does anyone know how to get the sig_id's easily?

The search-engine of snort.org doesn't seem to work properly (for
example:I don't find the sig_id if I use "possible EVASIVE RST
detection" in the message-field)


More information about the Snort-users mailing list