[Snort-users] setting threshold for snort signatures
mkettler at ...4108...
Thu Apr 15 10:12:07 EDT 2004
At 08:40 AM 4/15/2004, agnelo d wrote:
> I need to set thresholds for snort rules.
>The parameters are:
>gen_id gen-id <------ what is this gen-id
>type limit, threshold, both
>track by_src, by_dst
>Pls. can someone tell me what is this gen-id.
Generator ID.. It's the first number in the alert lines generated by snort.
For rules it's always 1. Alerts generated by preprocessors have other numbers.
[1:1070:6] WEB-MISC WebDAV search access [**]
The bracketed numbers are [generator:SID:revison] for normal rules.
If you read gen-msg.map you can find generator:SID combinations for the
ie: in 2.1.0 stream4 is generator 111. and [111:1:*] is "spp_stream4:
Stealth Activity Detected"
More information about the Snort-users