[Snort-users] Question about rule numbers and Syslog

Matt Kettler mkettler at ...4108...
Mon Oct 25 10:32:03 EDT 2004


At 01:10 PM 10/25/2004, Truax, Shawn (MBS) wrote:
>When you receive a syslog message from Snort it gives a rule number of 
>#:###:#. For example 1:255:8 is DNS Zone Transfer TCP.  I know that the 
>middle number is the sid for the rule.  My question is what are the other 
>2 numbers, where do they come from and are they in the acid database anywhere.

The first number is the generator. See the generators file that comes with 
snort for a list.

generator 1 is the rule subsystem. Other generators are the preprocessors 
(ie: spp_portscan, etc)

In the case of the rule subsystem, the other two numbers are the sid and 
revision of the rule. Thus in the above it was sid:255; rev:8 that fired.

In the other generators, the second number designates which particular 
alert the preprocessor is generating. What this number means is specific to 
the given preprocessor.  see gen-msg.map for a list of messages for 
generators other than 1. For generators other than 1 the third is unused 
and always 1. (at least AFAIK).







More information about the Snort-users mailing list