[Snort-users] Alerts including gen_id and sig_id?
paul.guijt at ...11827...
Sun Apr 16 12:42:44 EDT 2017
I have alerts like
[**] [129:12:1] Consecutive TCP small segments exceeding threshold
[Classification: Potentially Bad Traffic] [Priority: 2]
04/16-07:26:27.202693 192.168.178.100:2049 -> 192.168.178.28:698
TCP TTL:64 TOS:0x0 ID:25253 IpLen:20 DgmLen:180 DF
***AP*** Seq: 0x33FFC114 Ack: 0x29CB4BB5 Win: 0x6000 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1978513079 3620817
and want to deduce the related gen_id and sig_id to construct a suppress
Do I understand correctly that the '129' is (always) the gen_id and the '12'
is (always) the sig_id?
If not, how can I find them anyway?
More information about the Snort-users