[Snort-users] Snort SIDs changed?

Brian bmc at ...950...
Mon Aug 23 07:58:21 EDT 2004

On Fri, Aug 13, 2004 at 05:14:38PM -0600, Sean Brown wrote:
> Have the SIDs on Snorts website changed? I have SID 108 logged as
> '(snort_decoder) Unknown Datagram decoding problem!' Yet clicking on
> the link to the description of that sid in acid it points to
> http://www.snort.org/snort-db/sid.html?sid=108 which obviously is
> sid 108 but there the message listed is 'BACKDOOR QAZ Worm Client
> Login access'

The alert you are looking '(snort_decoder) Unknown Datagram decoding
problem!' is gen 116, sid 108.

The rule documentation at
http://www.snort.org/snort-db/sid.html?sid=108 is for gen 1, sid 108. 

Hopefully preprocessor events will have documentation for them soon.
(We are working on it now.)


More information about the Snort-users mailing list