Sunday, 14 September 2014

Getting more information about Snort rules

Periodically, I often require more information about the snort IDS alert that was triggered by looking in the logs. I find it tedious to look into the snort manual and find more details about the alert. Fortunately, SourceFire (now Cisco!) the company behind Snort, has provided online option.

In every snort alert, there is a section that reads something like [3:15912:2]. This breaks down as the [(detection mechanism):(signature ID):(signature revision)]. Using the SID (the middle number) you can find more information about most signatures.

If the number is less than 1000000, it is a SourceFire rule. In this case you can get more information about the rule by going to https://www.snort.org/search?query=15912&submit_search=

If the number is between 1000000 and 2000000, it is a snort community rule. In this case, the best source of information will be the rule itself which can be downloaded from Community Rules.

If the number is between 2000000 and 3000000 it comes from emergingthreats.net and you can get more information by going to http://doc.emergingthreats.net/bin/view/Main/<sid number> .

Finally, if the number is in the 6000000 to 7000000 range it is a custom rule that is developed based upon patterns.

No comments:

Post a Comment