[Snort-users] Alerts including gen_id and sig_id?

Al Lewis (allewi) allewi at ...589...
Sun Apr 16 15:07:53 EDT 2017


You can find them all in the preproc_rules/preprocessor.rules file.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589... 







On 4/16/17, 12:42 PM, "Paul Guijt" <paul.guijt at ...11827...> wrote:

>Hi All,
>
>I have alerts like 
>
>	[**] [129:12:1] Consecutive TCP small segments exceeding threshold
>[**]
>	[Classification: Potentially Bad Traffic] [Priority: 2]
>	04/16-07:26:27.202693 192.168.178.100:2049 -> 192.168.178.28:698
>	TCP TTL:64 TOS:0x0 ID:25253 IpLen:20 DgmLen:180 DF
>	***AP*** Seq: 0x33FFC114  Ack: 0x29CB4BB5  Win: 0x6000  TcpLen: 32
>	TCP Options (3) => NOP NOP TS: 1978513079 3620817
>
>and want to deduce the related gen_id and sig_id to construct a suppress
>rule. 
>
>Do I understand correctly that the '129' is (always) the gen_id and the '12'
>is (always) the sig_id? 
>
>If not, how can I find them anyway? 
>
>Thanks!
>Paul
>
>
>
>
>------------------------------------------------------------------------------
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list