Getting More Information About ISP Snort Rules

Periodically, we in Information Security and Policy (ISP) get asked for details on the Snort IDS rules we use when we send out notices about compromised or potential compromises. While we use thousands of different rules and cannot fully document them all individually, it is possible to find out more information about the alert that was triggered by looking in the logs we provide.

In every snort alert, there is a section that reads something like [1:2007588:2]. This breaks down as the [(detction mechanism):(signature ID):(signature revision)]. Using the SID (the middle number) you can find more information about most signatures.

If the number is less than 1000000, it is a SourceFire rule (the company that maintains the snort source code). In this case you can get more information about the rule by going to https://www.snort.org/rule_docs.

If the number is between 1000000 and 2000000, it is a snort community rule. Unfortunately, in this case, the best source of information will be the rule itself which can be downloaded from Community Rules. As a general rule we don't use too many community rules because they are only rarely updated.

If the number is between 2000000 and 3000000 it comes from emergingthreats.net and you can get more information by going to http://doc.emergingthreats.net/bin/view/Main/<sid number> as seen in the example above.

Finally, if the number is in the 6000000 to 7000000 range it is a custom rule that we have developed based upon patterns and break-ins we have seen on campus. For more information on these alerts you will have to contact us at security@berkeley.edu for more information. As a general rule we try to limit the distribution of our custom rules because they represent particular issues and too much disclosure could warn attackers and potential attackers what we look and help them evade detection.