[Snort-users] Identify classification ID

waldo kitty wkitty42 at ...14940...
Fri Aug 14 11:21:48 EDT 2015


On 08/14/2015 05:19 AM, Gabriel Corre wrote:
> Hi all,
>
> I’m reading my alerts + packets in the file “merged.log” created by :
> “output unified2: filename merged.log, limit 128”  in “snort.conf”
>
> Here is what I receive :
> (Event)
>
>          sensor id: 0    event id: 10    event second: 1439539372        event
> microsecond: 20723
>
>          sig id: 4       gen id: 128     revision: 1 *classification: 25*


GID 128... that's the SSH preprocessor... SID 4 is the ssh protocol mismatch 
alert... the rule in preprocessor.rules shows the classification as 
"non-standard-protocol"

alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1; metadata: 
rule-type preproc, service ssh ; classtype:non-standard-protocol;)

"non-standard-protocol" is listed in the classification.conf as a type 2 event...

we don't use unified output over here so we can't help much further other than 
to say that your research so far is confirmed by what we see over here...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list