[Snort-users] Alerts including gen_id and sig_id?

Al Lewis (allewi) allewi at ...589...
Sun Apr 16 15:07:53 EDT 2017

You can find them all in the preproc_rules/preprocessor.rules file.

Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589... 

On 4/16/17, 12:42 PM, "Paul Guijt" <paul.guijt at ...11827...> wrote:

>Hi All,
>I have alerts like 
>	[**] [129:12:1] Consecutive TCP small segments exceeding threshold
>	[Classification: Potentially Bad Traffic] [Priority: 2]
>	04/16-07:26:27.202693 ->
>	TCP TTL:64 TOS:0x0 ID:25253 IpLen:20 DgmLen:180 DF
>	***AP*** Seq: 0x33FFC114  Ack: 0x29CB4BB5  Win: 0x6000  TcpLen: 32
>	TCP Options (3) => NOP NOP TS: 1978513079 3620817
>and want to deduce the related gen_id and sig_id to construct a suppress
>Do I understand correctly that the '129' is (always) the gen_id and the '12'
>is (always) the sig_id? 
>If not, how can I find them anyway? 
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list