[Snort-users] Alerts including gen_id and sig_id?

Paul Guijt paul.guijt at ...11827...
Sun Apr 16 12:42:44 EDT 2017


Hi All,

I have alerts like 

	[**] [129:12:1] Consecutive TCP small segments exceeding threshold
[**]
	[Classification: Potentially Bad Traffic] [Priority: 2]
	04/16-07:26:27.202693 192.168.178.100:2049 -> 192.168.178.28:698
	TCP TTL:64 TOS:0x0 ID:25253 IpLen:20 DgmLen:180 DF
	***AP*** Seq: 0x33FFC114  Ack: 0x29CB4BB5  Win: 0x6000  TcpLen: 32
	TCP Options (3) => NOP NOP TS: 1978513079 3620817

and want to deduce the related gen_id and sig_id to construct a suppress
rule. 

Do I understand correctly that the '129' is (always) the gen_id and the '12'
is (always) the sig_id? 

If not, how can I find them anyway? 

Thanks!
Paul







More information about the Snort-users mailing list