[Snort-users] setting threshold for snort signatures

Matt Kettler mkettler at ...4108...
Thu Apr 15 10:12:07 EDT 2004


At 08:40 AM 4/15/2004, agnelo d wrote:
>      I need to set thresholds for snort rules.
>The parameters are:
>
>gen_id  gen-id  <------ what is this gen-id
>sig_id  sig-id
>type    limit, threshold, both
>track   by_src, by_dst
>count   n
>seconds m
>
>Pls. can someone tell me what is this gen-id.

Generator ID.. It's the first number in the alert lines generated by snort.

For rules it's always 1. Alerts generated by preprocessors have other numbers.

For example:
[1:1070:6] WEB-MISC WebDAV search access [**]

The bracketed numbers are [generator:SID:revison] for normal rules.

If you read gen-msg.map you can find generator:SID combinations for the 
preprocessors.

ie: in 2.1.0 stream4 is generator 111. and [111:1:*] is "spp_stream4: 
Stealth Activity Detected"






More information about the Snort-users mailing list