[Snort-users] Identify classification ID
waldo kitty
wkitty42 at ...14940...
Fri Aug 14 11:21:48 EDT 2015
On 08/14/2015 05:19 AM, Gabriel Corre wrote:
> Hi all,
>
> I’m reading my alerts + packets in the file “merged.log” created by :
> “output unified2: filename merged.log, limit 128” in “snort.conf”
>
> Here is what I receive :
> (Event)
>
> sensor id: 0 event id: 10 event second: 1439539372 event
> microsecond: 20723
>
> sig id: 4 gen id: 128 revision: 1 *classification: 25*
GID 128... that's the SSH preprocessor... SID 4 is the ssh protocol mismatch
alert... the rule in preprocessor.rules shows the classification as
"non-standard-protocol"
alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1; metadata:
rule-type preproc, service ssh ; classtype:non-standard-protocol;)
"non-standard-protocol" is listed in the classification.conf as a type 2 event...
we don't use unified output over here so we can't help much further other than
to say that your research so far is confirmed by what we see over here...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users
mailing list