[Snort-users] Alerts including gen_id and sig_id?

wkitty42 at ...14940... wkitty42 at ...14940...
Sun Apr 16 14:46:04 EDT 2017


On 04/16/2017 12:42 PM, Paul Guijt wrote:
> Hi All,
>
> I have alerts like
>
> 	[**] [129:12:1] Consecutive TCP small segments exceeding threshold
> [**]
> 	[Classification: Potentially Bad Traffic] [Priority: 2]
> 	04/16-07:26:27.202693 192.168.178.100:2049 -> 192.168.178.28:698
> 	TCP TTL:64 TOS:0x0 ID:25253 IpLen:20 DgmLen:180 DF
> 	***AP*** Seq: 0x33FFC114  Ack: 0x29CB4BB5  Win: 0x6000  TcpLen: 32
> 	TCP Options (3) => NOP NOP TS: 1978513079 3620817
>
> and want to deduce the related gen_id and sig_id to construct a suppress
> rule.
>
> Do I understand correctly that the '129' is (always) the gen_id and the '12'
> is (always) the sig_id?

if i'm understanding your question correctly, yes, the first part is always the 
GID, the second is the SID and the third is the REV...

   GID:SID:REV


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list