Re: Interpreting Snort SID 1 result

To: Debian Security <debian-security@lists.debian.org>
Subject: Re: Interpreting Snort SID 1 result
From: Jeremy Hewlett <jh@snort.org>
Date: Fri, 6 May 2005 15:30:04 -0400
Message-id: <[🔎] 20050506193004.GA6097@sourcefire.com>
Mail-followup-to: Debian Security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 427B5A7A.40801@gmx.net>
References: <[🔎] 427B5A7A.40801@gmx.net>

On Fri, May 06, Martin G.H. Minkler wrote:
> Not sure whether this belongs here but no one answered over at 
> debian-firewall - I've had strange results in my snort logs that I can't 
> really interpret, the sid 1 doesn't look like a "normal" snort result to 

[...]

> 02/22-17:58:46.493171  [**] [121:1:1] Portscan detected from <scanning 
> machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15) 

This is normal. 

"121" is the genID of this preprocessor (flow-portscan).  "1" is the
sigID for this preprocessor's event (Fixed Scale Scanner). The
remaining "1" is the revision.

You can look at <snort src>/etc/gen-msg.map for a listing of all the
possible combinations you might see. The FAQ in section 4.32 also
describes this. I'm not sure if this is in the official manual or not
(I'll have to look). If it isn't, I'll toss it over.

Reply to:

Follow-Ups:
- Re: Interpreting Snort SID 1 result
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>

References:
- Interpreting Snort SID 1 result
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>

Prev by Date: Interpreting Snort SID 1 result
Next by Date: Re: Interpreting Snort SID 1 result
Previous by thread: Interpreting Snort SID 1 result
Next by thread: Re: Interpreting Snort SID 1 result
Index(es):
- Date
- Thread