[Snort-users] thresholding: How to get the sig_id?
Dirk_Geschke at ...1344...
Wed Apr 14 04:41:09 EDT 2004
> I'd like to tune my sensor but don't know how to get right sig_id's for
> alerts which aren't created by rules.
> alerts should have the following format [generator:signature:revision]
> but acid doesn't seem to use this.
forget about acid on this topic... (It is a little bit more
complicated than it sounds, but there are several ID's related
to signatures. So it is difficult to find the right one. The
sig_id acid uses is only an index where you can find the real
signature in the database. In the signature table you find to
each sig_id a sig_sid. This sig_sid is the sig_id you want...)
> Does anyone know how to get the sig_id's easily?
> The search-engine of snort.org doesn't seem to work properly (for
> example:I don't find the sig_id if I use "possible EVASIVE RST
> detection" in the message-field)
The search engine only counts for rules, not for messages generated
by a preprocessor. This messages is generated by a preprocessor and
normally it should be part of the messages which one it is:
"(spp_stream4) possible EVASIVE RST detection"
Then you know it is the stream4 preprocessor.
So look at snort-2.1.2/src/generators.h and look for SPP_STREAM4:
#define GENERATOR_SPP_STREAM4 111
#define STREAM4_STEALTH_ACTIVITY 1
#define STREAM4_EVASIVE_RST 2
#define STREAM4_EVASIVE_RETRANS 3
So here is the generator id (111) and the sig_id (STREAM4_EVASIVE_RST, 2)
More information about the Snort-users