Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » New Signatures in version 2.3.3

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

New Signatures in version 2.3.3


Posted by xavierc on April 29, 2005 07:40:55

Someone can help me interpreting this new signatures???

Snort Alert [122:27:0]
Snort Alert [122:3:0]
Snort Alert [122:19:0]
etc....

from where they come from?

Regards
Xavier Cabrera.

Posted by nigel on April 29, 2005 11:41:00

The event format is:

[ GENERATOR ID : SIGNATURE ID : REVISION ]

Thus your events are:

[ 122 portscan : 27 Open Port : 0 revision ]
[ 122 portscan : 3 TCP Portsweep : 0 revision ]
[ 122 portscan : 19 UDP Portsweep : 0 revision ]

Take a look in the gen-msg.map for all your other events.

Posted by xavierc on April 29, 2005 12:51:37

Thanks for your help.

One think more.. some way to this information display on line real-time?
maybe a include /etc/snort/gen-msg.map?


Regards
Xavier Cabrera.

Posted by xavierc on May 03, 2005 06:48:54

The problem was solve. i have to insert new segnatures in gen-msg.map.

The signatures for bleeding snort going with 1 || in front of them.

Thanks .

Xavier Cabrera.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.