On Fri, May 06, Martin G.H. Minkler wrote: > Not sure whether this belongs here but no one answered over at > debian-firewall - I've had strange results in my snort logs that I can't > really interpret, the sid 1 doesn't look like a "normal" snort result to
[...] > 02/22-17:58:46.493171 [**] [121:1:1] Portscan detected from <scanning > machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15) This is normal. "121" is the genID of this preprocessor (flow-portscan). "1" is the sigID for this preprocessor's event (Fixed Scale Scanner). The remaining "1" is the revision. You can look at <snort src>/etc/gen-msg.map for a listing of all the possible combinations you might see. The FAQ in section 4.32 also describes this. I'm not sure if this is in the official manual or not (I'll have to look). If it isn't, I'll toss it over. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
