[Snort-users] Rule ID question

waldo kitty wkitty42 at ...14940...
Thu Sep 16 11:30:23 EDT 2010

On 9/16/2010 10:32, Bobby Venal wrote:
> Hi all,
> Noob question here, but I saw an alert with the following:
> "SID: 9003461.1: SMTP Content-Type overflow attempt"
> When I search /etc/sid-msg.map, I find this entry:
> "3461 || SMTP Content-Type overflow attempt || bugtraq,7419 ||
> cve,2003-0113 ||
> url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx"
> What is that prepended "900" in the log entry?  I thought it might be
> GID, but I'm not seeing "900" in my gen-msg.map file.

GID entries would have another colon trailing the GID number (ie: 1: for the 
normal text rules in the *.rules files)...

what is your environment configuration? are you using any database type 
processing capabilities like barnyard or similar?

where did you see that alert? in the (raw?) snort alert log file or somewhere 
else? if somewhere else, how was it processed to display there?

More information about the Snort-users mailing list