[Snort-users] Rule ID question
wkitty42 at ...14940...
Thu Sep 16 11:30:23 EDT 2010
On 9/16/2010 10:32, Bobby Venal wrote:
> Hi all,
> Noob question here, but I saw an alert with the following:
> "SID: 9003461.1: SMTP Content-Type overflow attempt"
> When I search /etc/sid-msg.map, I find this entry:
> "3461 || SMTP Content-Type overflow attempt || bugtraq,7419 ||
> cve,2003-0113 ||
> What is that prepended "900" in the log entry? I thought it might be
> GID, but I'm not seeing "900" in my gen-msg.map file.
GID entries would have another colon trailing the GID number (ie: 1: for the
normal text rules in the *.rules files)...
what is your environment configuration? are you using any database type
processing capabilities like barnyard or similar?
where did you see that alert? in the (raw?) snort alert log file or somewhere
else? if somewhere else, how was it processed to display there?
More information about the Snort-users