Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Seeing alot of Snort Alert [1:3000:0]

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Seeing alot of Snort Alert [1:3000:0]


Posted by TBoNe on March 23, 2005 09:13:32

Where is this coming from? I'm seeing it all over sguil. Is this caused by a preproccessor? It only seems to be complaing about smb traffic on port 139 and 443. What causes the Snort Alert[] series of alerts?

Snort 2.3.2 current rules
barnyard 0.2.0
sguil 0.5.2
Redhat Enterprise

Posted by bamm on March 29, 2005 07:39:36

This means your sid-msg.map is out of whack on your sensor. The unified format doesn't acutally save the sig message. When barnyard parses the entry, it gets message based on the generator and signature ids contained in the sig-msg.map. If it can't find the appropriate entry, then it just uses [generator id:sig id:revision].



Bammkkkk

Posted by TBoNe on March 30, 2005 06:53:20

Ahhh that makes perfect sense. I figured something like that was happening. Cool thanks
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.