Post-inspection processing
In this section, we will discuss what happens after the packet inspection and rule matching is complete. When there is a successful rule match, an event is generated. The event is then checked against any applicable thresholding. Subsequently, the rule action is applied to the packet. Finally, an alert is also created for the event.
The following steps are involved when Snort successfully triggers a rule and generates an event:
- Event generation
- Check event thresholding rules
- Apply rule action for the packet
- Log the alert
Let’s discuss each of these steps briefly.
Event generation
A Snort event is associated with a corresponding rule that was triggered; subsequently, that event is represented by a generator ID (gid) and signature ID (sid). A typical Snort rule has an associated signature ID, which is specified using the rule option called sid (please refer to Chapter 13, for more details). The gid for a typical rule...
