# $Id$ # GENERATORS -> msg map # Format: generatorid || alertid || MSG 1 || 1 || snort general alert 2 || 1 || tag: Tagged Packet 3 || 1 || snort dynamic alert 100 || 1 || spp_portscan: Portscan Detected 100 || 2 || spp_portscan: Portscan Status 100 || 3 || spp_portscan: Portscan Ended 101 || 1 || spp_minfrag: minfrag alert 102 || 1 || http_decode: Unicode Attack 102 || 2 || http_decode: CGI NULL Byte Attack 102 || 3 || http_decode: large method attempted 102 || 4 || http_decode: missing uri 102 || 5 || http_decode: double encoding detected 102 || 6 || http_decode: illegal hex values detected 102 || 7 || http_decode: overlong character detected 103 || 1 || spp_defrag: Fragmentation Overflow Detected 103 || 2 || spp_defrag: Stale Fragments Discarded 104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded 104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted 105 || 1 || spp_bo: Back Orifice Traffic Detected 105 || 2 || spp_bo: Back Orifice Client Traffic Detected 105 || 3 || spp_bo: Back Orifice Server Traffic Detected 105 || 4 || spp_bo: Back Orifice Snort Buffer Attack 106 || 1 || spp_rpc_decode: Fragmented RPC Records 106 || 2 || spp_rpc_decode: Multiple Records in one packet 106 || 3 || spp_rpc_decode: Large RPC Record Fragment 106 || 4 || spp_rpc_decode: Incomplete RPC segment 106 || 5 || spp_rpc_decode: Zero-length RPC Fragment 110 || 1 || spp_unidecode: CGI NULL Attack 110 || 2 || spp_unidecode: Directory Traversal 110 || 3 || spp_unidecode: Unknown Mapping 110 || 4 || spp_unidecode: Invalid Mapping 111 || 1 || spp_stream4: Stealth Activity Detected 111 || 2 || spp_stream4: Evasive Reset Packet 111 || 3 || spp_stream4: Retransmission 111 || 4 || spp_stream4: Window Violation 111 || 5 || spp_stream4: Data on SYN Packet 111 || 6 || spp_stream4: Full XMAS Stealth Scan 111 || 7 || spp_stream4: SAPU Stealth Scan 111 || 8 || spp_stream4: FIN Stealth Scan 111 || 9 || spp_stream4: NULL Stealth Scan 111 || 10 || spp_stream4: NMAP XMAS Stealth Scan 111 || 11 || spp_stream4: VECNA Stealth Scan 111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection 111 || 13 || spp_stream4: SYN FIN Stealth Scan 111 || 14 || spp_stream4: TCP forward overlap detected 111 || 15 || spp_stream4: TTL Evasion attempt 111 || 16 || spp_stream4: Evasive retransmitited data attempt 111 || 17 || spp_stream4: Evasive retransmitited data with the data split attempt 111 || 18 || spp_stream4: Multiple acked 111 || 19 || spp_stream4: Shifting to Emegency Session Mode 111 || 20 || spp_stream4: Shifting to Suspend Mode 111 || 21 || spp_stream4: TCP Timestamp option has value of zero 111 || 22 || spp_stream4: Too many overlapping TCP packets 111 || 23 || spp_stream4: Packet in established TCP stream missing ACK 111 || 24 || spp_stream4: Evasive FIN Packet 111 || 25 || spp_stream4: SYN on established 112 || 1 || spp_arpspoof: Directed ARP Request 112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC 112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST 112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack 113 || 1 || spp_frag2: Oversized Frag 113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack 113 || 3 || spp_frag2: TTL evasion detected 113 || 4 || spp_frag2: overlap detected 113 || 5 || spp_frag2: Duplicate first fragments 113 || 6 || spp_frag2: memcap exceeded 113 || 7 || spp_frag2: Out of order fragments 113 || 8 || spp_frag2: IP Options on Fragmented Packet 113 || 9 || spp_frag2: Shifting to Emegency Session Mode 113 || 10 || spp_frag2: Shifting to Suspend Mode 114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected 114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected 114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected 114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected 115 || 1 || spp_asn1: Indefinite ASN.1 length encoding 115 || 2 || spp_asn1: Invalid ASN.1 length encoding 115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow 115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow 115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length 116 || 1 || snort_decoder: Not IPv4 datagram! 116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN! 116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len! 116 || 4 || snort_decoder: Bad IPv4 Options 116 || 5 || snort_decoder: Truncated IPv4 Options 116 || 6 || snort_decoder: WARNING: hlen > IP_HEADER_LEN! 116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes! 116 || 46 || snort_decoder: TCP Data Offset is less than 5! 116 || 47 || snort_decoder: TCP Data Offset is longer than payload! 116 || 54 || snort_decoder: Tcp Options found with bad lengths 116 || 55 || snort_decoder: Truncated Tcp Options 116 || 56 || snort_decoder: T/TCP Detected 116 || 57 || snort_decoder: Obsolete TCP options 116 || 58 || snort_decoder: Experimental TCP options 116 || 59 || snort_decoder: TCP Window Scale Option Scale Invalid (> 14) 116 || 95 || snort_decoder: Truncated UDP Header! 116 || 96 || snort_decoder: Invalid UDP header, length field < 8 116 || 97 || snort_decoder: Short UDP packet, length field > payload length 116 || 98 || snort_decoder: Long UDP packet, length field < payload length 116 || 105 || snort_decoder: ICMP Header Truncated! 116 || 106 || snort_decoder: ICMP Timestamp Header Truncated! 116 || 107 || snort_decoder: ICMP Address Header Truncated! 116 || 108 || snort_decoder: Unknown Datagram decoding problem! 116 || 109 || snort_decoder: Truncated ARP Packet! 116 || 110 || snort_decoder: Truncated EAP Header! 116 || 111 || snort_decoder: EAP Key Truncated! 116 || 112 || snort_decoder: EAP Header Truncated! 116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected! 116 || 130 || snort_decoder: WARNING: Bad VLAN Frame! 116 || 131 || snort_decoder: WARNING: Bad LLC header! 116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info! 116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header! 116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info! 116 || 140 || snort_decoder: WARNING: Bad Token Ring Header! 116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header! 116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header! 116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header! 116 || 150 || snort_decoder: Bad Traffic Loopback IP! 116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP! 116 || 160 || snort_decoder: WARNING: GRE header length > payload length 116 || 161 || snort_decoder: WARNING: Multiple GRE encapsulations in packet 116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated!" 116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4!" 116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length!" 116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits!" 116 || 254 || snort_decoder: WARNING: ICMP Origianl IP Payload > 576 bytes!" 116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0!" 117 || 1 || spp_portscan2: Portscan detected! 118 || 1 || spp_conversation: Bad IP protocol! 119 || 1 || http_inspect: ASCII ENCODING 119 || 2 || http_inspect: DOUBLE DECODING ATTACK 119 || 3 || http_inspect: U ENCODING 119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING 119 || 5 || http_inspect: BASE36 ENCODING 119 || 6 || http_inspect: UTF-8 ENCODING 119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING 119 || 8 || http_inspect: MULTI_SLASH ENCODING 119 || 9 || http_inspect: IIS BACKSLASH EVASION 119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL 119 || 11 || http_inspect: DIRECTORY TRAVERSAL 119 || 12 || http_inspect: APACHE WHITESPACE (TAB) 119 || 13 || http_inspect: NON-RFC HTTP DELIMITER 119 || 14 || http_inspect: NON-RFC DEFINED CHAR 119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY 119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING 119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED 119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL 120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT 121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded 121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded 121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded 121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded 122 || 1 || portscan: TCP Portscan 122 || 2 || portscan: TCP Decoy Portscan 122 || 3 || portscan: TCP Portsweep 122 || 4 || portscan: TCP Distributed Portscan 122 || 5 || portscan: TCP Filtered Portscan 122 || 6 || portscan: TCP Filtered Decoy Portscan 122 || 7 || portscan: TCP Filtered Portsweep 122 || 8 || portscan: TCP Filtered Distributed Portscan 122 || 9 || portscan: IP Protocol Scan 122 || 10 || portscan: IP Decoy Protocol Scan 122 || 11 || portscan: IP Protocol Sweep 122 || 12 || portscan: IP Distributed Protocol Scan 122 || 13 || portscan: IP Filtered Protocol Scan 122 || 14 || portscan: IP Filtered Decoy Protocol Scan 122 || 15 || portscan: IP Filtered Protocol Sweep 122 || 16 || portscan: IP Filtered Distributed Protocol Scan 122 || 17 || portscan: UDP Portscan 122 || 18 || portscan: UDP Decoy Portscan 122 || 19 || portscan: UDP Portsweep 122 || 20 || portscan: UDP Distributed Portscan 122 || 21 || portscan: UDP Filtered Portscan 122 || 22 || portscan: UDP Filtered Decoy Portscan 122 || 23 || portscan: UDP Filtered Portsweep 122 || 24 || portscan: UDP Filtered Distributed Portscan 122 || 25 || portscan: ICMP Sweep 122 || 26 || portscan: ICMP Filtered Sweep 122 || 27 || portscan: Open Port 123 || 1 || frag3: IP Options on fragmented packet 123 || 2 || frag3: Teardrop attack 123 || 3 || frag3: Short fragment, possible DoS attempt 123 || 4 || frag3: Fragment packet ends after defragmented packet 123 || 5 || frag3: Zero-byte fragment 123 || 6 || frag3: Bad fragment size, packet size is negative 123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 123 || 8 || frag3: Fragmentation overlap 124 || 1 || smtp: Attempted command buffer overflow 124 || 2 || smtp: Attempted data header buffer overflow 124 || 3 || smtp: Attempted response buffer overflow 124 || 4 || smtp: Attempted specific command buffer overflow 124 || 5 || smtp: Unknown command 124 || 6 || smtp: Illegal command 124 || 7 || smtp: Attempted header name buffer overflow 125 || 1 || ftp_pp: Telnet command on FTP command channel 125 || 2 || ftp_pp: Invalid FTP command 125 || 3 || ftp_pp: FTP parameter length overflow 125 || 4 || ftp_pp: FTP malformed parameter 125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter 125 || 6 || ftp_pp: FTP response length overflow 125 || 7 || ftp_pp: FTP command channel encrypted 125 || 8 || ftp_pp: FTP bounce attack 125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel 126 || 1 || telnet_pp: Telnet consecutive AYT overflow 126 || 2 || telnet_pp: Telnet data encrypted 126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End 128 || 1 || ssh: Gobbles exploit 128 || 2 || ssh: SSH1 CRC32 exploit 128 || 3 || ssh: Server version string overflow 128 || 4 || ssh: Protocol mismatch 128 || 5 || ssh: Bad message direction 128 || 6 || ssh: Payload size incorrect for the given payload 128 || 7 || ssh: Failed to detect SSH version string 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 130 || 1 || dcerpc: Maximum memory usage reached 131 || 1 || dns: Obsolete DNS RData Type 131 || 2 || dns: Experimental DNS RData Type 131 || 3 || dns: Client RData TXT Overflow