Re: [Snort-sigs] event_id

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Fri Oct 10 2003 - 15:38:56 EDT

At 11:08 AM 10/10/2003, Martin Jr., D. Michael wrote:
>What does the "event_id" in the snort log refer to?

I suspect that event_id is just a counter of events that snort has alerted on. My setup of snort doesn't log these, so I don't know exactly what it's about.

"type" and "code" are a part of the ICMP packet format, and are information about the original packet that snort alerted on.

ICMP messages are specified for several different types, and each type has codes defined under it.

In this packet type 8 is echo request.. aka ping request. Code 0 is the only code for type 8.

Another common ICMP message type is type 3, which is destination unreachable. There are 16 different codes for type 3, which define different reasons as to why the destination was unreachable. Code 0 is network unreachable, whereas code 3 is port unreachable, and 13 is administratively prohibited by filtering.

If you need details about ICMP, RFC 792 specifies the basics of ICMP, but many of the ICMP message defenitions are scattered across a bunch of different RFCs. This site seems to have most of the references you might want handy in one spot.
http://www.networksorcery.com/enp/protocol/icmp.htm

RFC 1700, the RFC of assigned numbers by IANA is also handy.

---

This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Oct 10 15:58:22 2003