[Snort-users] thresholding: How to get the sig_id?

Dirk Geschke Dirk_Geschke at ...1344...
Wed Apr 14 04:41:09 EDT 2004


Hi Steffen,

> I'd like to tune my sensor but don't know how to get right sig_id's for
> alerts which aren't created by rules.
> 
> alerts should have the following format [generator:signature:revision]
> but acid doesn't seem to use this.

forget about acid on this topic... (It is a little bit more
complicated than it sounds, but there are several ID's related
to signatures. So it is difficult to find the right one. The
sig_id acid uses is only an index where you can find the real
signature in the database. In the signature table you find to
each sig_id a sig_sid. This sig_sid is the sig_id you want...)

> Does anyone know how to get the sig_id's easily?
> 
> The search-engine of snort.org doesn't seem to work properly (for
> example:I don't find the sig_id if I use "possible EVASIVE RST
> detection" in the message-field)

The search engine only counts for rules, not for messages generated
by a preprocessor. This messages is generated by a preprocessor and
normally it should be part of the messages which one it is:

"(spp_stream4) possible EVASIVE RST detection"

Then you know it is the stream4 preprocessor. 

So look at snort-2.1.2/src/generators.h and look for SPP_STREAM4:

[...]
#define GENERATOR_SPP_STREAM4       111
#define     STREAM4_STEALTH_ACTIVITY            1
#define     STREAM4_EVASIVE_RST                 2
#define     STREAM4_EVASIVE_RETRANS             3
[...]

So here is the generator id (111) and the sig_id (STREAM4_EVASIVE_RST, 2)

Best regards

Dirk





More information about the Snort-users mailing list