Column headers for downloaded Snort alert logs



  • Does anyone know what each column represents in the alert file (when you select Download from the Snort alerts page)

    It looks to me like it is (from left to right):

    Date
    first part of SID
    second part of SID
    ? - Not sure what this is
    Description
    Proto
    Source
    SPort
    Destination
    DPort
    ? - Not sure what this is
    Class
    ? - Not sure what this is

    If anyone can fill in the blanks on those three columns I haven't identified (or correct anything else I have wrong) it would be much appreciated.



  • Date
    GID
    SID#
    SID version
    Description
    Proto
    Source
    SPort
    Destination
    DPort
    Class
    Class Priority



  • Thanks fsansfil, that looks good, but it looks like there might be one more column.

    Between the DPort and Class columns I have a column with large numbers. These numbers don't appear in the Alerts in the GUI, so I am having a hard time matching them up.

    Any help would be appreciated.



  • @jeffh:

    Thanks fsansfil, that looks good, but it looks like there might be one more column.

    Between the DPort and Class columns I have a column with large numbers. These numbers don't appear in the Alerts in the GUI, so I am having a hard time matching them up.

    Any help would be appreciated.

    That is the IP Header ID field.

    Bill


Log in to reply