Snort mailing list archives
Re: Fast Alert Log Format
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 04 Mar 2002 09:21:45 -0500
Here's the breakdown of the SID block:
[1:300001:1]
^ ^ ^
| | |
| | +-- Revision number (Rev)
| |
| +------- Snort ID (SID)
|
+----------- Generator ID (GID)
The generator ID is the subsystem within Snort that generated the event.
The references for this data can be found in generators.h, but for the sake
of enlightenment (not the window manager) a GID of 1 means the primary
detection engine generated the event.
The SID is the identification number of the event. These numbers are unique
to each Snort signature and each detectable event that the preprocessors can
generate. If you want to find out which signature generated an event, just
grep *.rules for the SID.
The revision number is the version of the rule that went off, as rules are
updated and evolve these numbers will increment.
Hope that helps!
-Marty
On 3/4/02 1:11 AM, "Bill McCarty" <bmccarty () apu edu> wrote:
I'm writing a program to process lines in Snort's Fast Alert Log. However,
I can't decipher several of the fields.
Here's a typical log entry:
03/03-22:06:32.396957 [**] [1:300001:1] Service Hunt [**] [Classification:
Misc activity] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:40144 ->
xxx.xxx.xxx.xxx:21
Can someone tell me what information can appear in the two fields
containing asterisks? In my logs I find no entry in which they contain
anything else.
And, can someone tell me the meaning of the number preceding the sid
(3000001) and rule revision number?
Thanks!
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fast Alert Log Format Bill McCarty (Mar 03)
- Re: Fast Alert Log Format Martin Roesch (Mar 04)
- Re: Fast Alert Log Format Bill McCarty (Mar 04)
- Re: Fast Alert Log Format Martin Roesch (Mar 04)