You want to understand a Snort alert message.

Consult the Snort signature database at http://www.snort.org/snort-db, using the signature ID as an index, or searching based on the text message. Most alerts are described in detail, and many include links to other NIDS databases with even more information, such as the arachNIDS database at http://www.whitehats.com.

Let’s decode an alert message produced when Snort detects a port scan by nmap [Recipe 9.13]:

Mar 18 19:40:52 whimsy snort[3115]: [1:469:1] ICMP PING NMAP [Classification: 
Attempted Information Leak] [Priority: 2]: <eth1> {ICMP} 10.120.66.1 -> 10.22.33.106

Breaking apart this single line, we first have the usual syslog information:

Mar 18 19:40:52 whimsy snort[3115]:

which includes a timestamp, the hostname where Snort was running, and the Snort identifier with its process ID. Next we have:

[1:469:1] ICMP PING NMAP

In this portion of the alert, the first number, 1, is a generator ID, and identifies the Snort subsystem that produced the alert. The value 1 means Snort itself. The next number, 469, is a signature ID that identifies the alert, and corresponds to the subsequent text message (ICMP PING NMAP). The final number, 1, is a version for the alert.

If the alert were produced by a Snort preprocessor, it would have a higher value for the generator ID, and the name of the preprocessor would be listed in parentheses before the text message. For example:

[111:10:1] (spp_stream4) ...