Re: new syslog format

[Martin Roesch <roesch () sourcefire com>]

That's the new "Event Data" field.  The format is 

[G:S:R]
G = Generator ID
S = Snort ID
R = Revision Number

The Generator ID identifies the subsystem of Snort that generated an
event.  ID number 1 is the primary detection engine, and everything else
is defined in generators.h.

The Snort ID ("SID") is the unique ID number of the Snort rule that has
fired (see the "sid" field in your Snort rule files.

The Revision number is the revision number of the SID that has fired, as
rules change and mature the revision number is incremented to indicate
these changes.  

The Event Data field is largely there for machine processing by MSSPs
and output analysis programs, with the advent of this tracking system
it's much easier to tell exactly what rules are going off no matter what
the msg fields look like.

     -Marty


> "Jones, Benny" wrote:
>
> On the sensors that are running snort 1.8, I'm seeing a field in
> my syslog alerts that looks like [1:0:0].  I've looked through the
> docs, but can't find what this means.  I'm hoping the answer isn't
> too awfully obvious, but could someone tell me what this is?  TIA.
>
> Benny

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users