[Snort-users] Question about rule numbers and Syslog
Truax, Shawn (MBS)
Shawn.Truax at ...8509...
Mon Oct 25 10:53:02 EDT 2004
Thanks for the info. I found the rev number in the mysql table signature.
Any idea where I might find the generator numbers in the mysql database for
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: October 25, 2004 1:31 PM
To: Truax, Shawn (MBS); snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Question about rule numbers and Syslog
At 01:10 PM 10/25/2004, Truax, Shawn (MBS) wrote:
>When you receive a syslog message from Snort it gives a rule number of
>#:###:#. For example 1:255:8 is DNS Zone Transfer TCP. I know that the
>middle number is the sid for the rule. My question is what are the other
>2 numbers, where do they come from and are they in the acid database
The first number is the generator. See the generators file that comes with
snort for a list.
generator 1 is the rule subsystem. Other generators are the preprocessors
(ie: spp_portscan, etc)
In the case of the rule subsystem, the other two numbers are the sid and
revision of the rule. Thus in the above it was sid:255; rev:8 that fired.
In the other generators, the second number designates which particular
alert the preprocessor is generating. What this number means is specific to
the given preprocessor. see gen-msg.map for a list of messages for
generators other than 1. For generators other than 1 the third is unused
and always 1. (at least AFAIK).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users