[Snort-users] where is a faq/info on alerts

Glenn Forbes Fleming Larratt glratt at ...604...
Fri Aug 6 07:26:07 EDT 2004

Hm. I was surprised - I could not find the answer anywhere in the
{snort}/doc subdirectory of my snort-2.1.1 installation, nor in the
manual or the FAQ at www.snort.org/docs . Maybe it's me.

As I recall, the format [xx:yy:zz] expands to

	xx = source module; 1 = standard snort rule, other numbers for
		various preprocessors (http_inspect,e.g.)

	yy = sid configured into the snort rule generating the alert, or
		subsidiary alert type if from a preprocessor;

	zz = rev configured into the snort rule.

So the alert

Aug  6 09:17:38 foo.rice.edu snort: [ID 702911 local0.alert] [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} ->

was generated by the standard snort rule with sid 469 and rev 1. More data
can be found by looking up the rule:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;)

; more data can be found in later versions of snort in the distributed
files {snort}/doc/signatures/469.txt, and the reference to "arachnids"
is a shorthand which is explained in section 2.4.2 of the Snort users


On Thu, 5 Aug 2004, Turnquist,Wayne wrote:

> Date: Thu, 5 Aug 2004 21:38:46 -0500
> From: "Turnquist,Wayne" <WayneTurnquist at ...12076...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] where is a faq/info on alerts
> where do i find info on alert that shows up in the log
> snort [xx:yy:ww]
> can someone point me to a faq on the numbering scheme of these alerts
> i need a good starting point so i can understand/search for these alerts
> thanks
> wt

				Glenn Forbes Fleming Larratt
				Rice University Networking
				glratt at ...604...

More information about the Snort-users mailing list