Column headers for downloaded Snort alert logs

jeffhammett

Does anyone know what each column represents in the alert file (when you select Download from the Snort alerts page)

It looks to me like it is (from left to right):

Date
first part of SID
second part of SID
? - Not sure what this is
Description
Proto
Source
SPort
Destination
DPort
? - Not sure what this is
Class
? - Not sure what this is

If anyone can fill in the blanks on those three columns I haven't identified (or correct anything else I have wrong) it would be much appreciated.

fsansfil

Date
GID
SID#
SID version
Description
Proto
Source
SPort
Destination
DPort
Class
Class Priority

jeffhammett

Thanks fsansfil, that looks good, but it looks like there might be one more column.

Between the DPort and Class columns I have a column with large numbers. These numbers don't appear in the Alerts in the GUI, so I am having a hard time matching them up.

Any help would be appreciated.

bmeeks

@jeffh:

Thanks fsansfil, that looks good, but it looks like there might be one more column.

Between the DPort and Class columns I have a column with large numbers. These numbers don't appear in the Alerts in the GUI, so I am having a hard time matching them up.

Any help would be appreciated.

That is the IP Header ID field.

Bill