[Snort-users] Snort SIDs changed?

Brian bmc at ...950...
Thu Aug 26 11:42:15 EDT 2004


On Mon, Aug 23, 2004 at 10:57:47AM -0400, Brian wrote:
> On Fri, Aug 13, 2004 at 05:14:38PM -0600, Sean Brown wrote:
> > Have the SIDs on Snorts website changed? I have SID 108 logged as
> > '(snort_decoder) Unknown Datagram decoding problem!' Yet clicking on
> > the link to the description of that sid in acid it points to
> > http://www.snort.org/snort-db/sid.html?sid=108 which obviously is
> > sid 108 but there the message listed is 'BACKDOOR QAZ Worm Client
> > Login access'
> 
> The alert you are looking '(snort_decoder) Unknown Datagram decoding
> problem!' is gen 116, sid 108.
> 
> The rule documentation at
> http://www.snort.org/snort-db/sid.html?sid=108 is for gen 1, sid 108. 
> 
> Hopefully preprocessor events will have documentation for them soon.
> (We are working on it now.)

Oh, BTW..

This doesn't help you any because the the snort decoder events are not
documented yet, but some documentation preprocessor events are now
available via the web now.

Information for your specific event (gen 116, sid 108), had the
documentation for that preprocessor event been done already, would
have been available here:

    http://www.snort.org/snort-db/sid.html?sid=116:108

Right now, only the http_inspect preprocessor event documentation is
done.   But, we are working on it.  Feel free to contribute.

-b




More information about the Snort-users mailing list