[Snort-users] BASE is showing "Snort Alert" and sid instead of the message field.

Al Lewis (allewi) allewi at cisco.com
Tue Sep 19 12:50:23 EDT 2017


Its a preprocessor rule:

ALLEWI-M-8257:~ allewi$ less /var/tmp/snort-2.9.9.0-released/preproc_rules/preprocessor.rules | grep 120 | grep "sid: 3"
alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )
ALLEWI-M-8257:~ allewi$


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of William Pearson <william at cnsp.net<mailto:william at cnsp.net>>
Date: Tuesday, September 19, 2017 at 12:43 PM
To: "Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>" <Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>>
Subject: [Snort-users] BASE is showing "Snort Alert" and sid instead of the message field.


[snort<http://www.snort.org/search/sid/120-3>] Snort Alert [120:3:1]


Any help in having it show the message field instead would be helpful. Not sure why it's doing that.

Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170919/1ea1335d/attachment.html>


More information about the Snort-users mailing list