Snort mailing list archives
Question on GID 116 (multiple
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Mon, 28 Dec 2020 12:02:38 +0100
Hello, I'm working on updating the Snort3 Splunk plugin (for normalizing and adding data to Snort3 alerts in Splunk), and I have a question regarding GID 116. when I run *snort --list-gids*, i see that there are multiple entries for GID 116: noah@snort3:~$ snort --list-gids 105: back_orifice 106: rpc_decode 112: arp_spoof 116: arp 116: auth 116: ciscometadata 116: decode 116: erspan2 116: erspan3 116: esp 116: eth 116: fabricpath 116: gre 116: gtp 116: icmp4 116: icmp6 116: igmp ... Is there a reason for this duplication (are these all part of the same set of decoders or something)? I also see this for GID 133 as well. The reason i ask is because i'm configuring lookups to add relevant information to the search results in Splunk (adding the name of the decoder/preprocessor to each event), and this makes it more difficult. For example, in my results i have two alerts with GID 116 showing the following msg: (icmp4) ICMP ping Nmap (tcp) TCP SYN with FIN i assume that i'm looking at the icmp4 and tcp decoders within GID 116, but i wanted to make sure Thanks Noah
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question on GID 116 (multiple Noah Dietrich (Dec 28)