[Snort-users] Incorrect SID 108

Todd Wease twease at ...1935...
Tue Oct 31 21:01:38 EST 2006


On Wed, 2006-11-01 at 09:11 +0900, Ian Masters wrote:
>  > What version of Snort are you using and what web interface are you
> > using?  
> > 
> > Both alerts have the same SID; however, they each have a different
> > generator id (GID).  It sounds like whatever web interface you are using
> > is not taking the GID into account when creating the link.
> 
> I'm using Snort Version 2.3.2 (Build 12) and  ACID v0.9.6b23.
> 
> Why is it necessary for two alerts to have the same SID?

SIDs are grouped under GIDs.  For the events produced by the rules, the
GID is 1.  For events produced by other parts of Snort such as the
preprocessors and decoder the GID is different.  The GID lets you know
what part of the system produced the event.  Look at gen-msg.map where
you keep your snort.conf.

It is advisable that you upgrade you version of Snort and use BASE
(which is based on ACID) instead of ACID since ACID hasn't been
supported for quite some time.

Todd





More information about the Snort-users mailing list