Notice protocol fields
This reference provides definitions for the protocol fields that appear in notice logs when intrusion policy rules are triggered, helping you understand the information captured in security event logs.
The notice protocol fields provide detailed information about intrusion events. These fields include:
|
Field |
Description |
|---|---|
|
action |
The intrusion policy action that was configured for the triggered intrusion policy rule, for example alert, drop, or pass. |
|
gid |
The GID of the intrusion rule that triggered the log. This value is collected and displayed even if the rule is disabled. |
|
msg |
The message associated with the intrusion rule that triggered the log. This field provides a description of why the flow was logged. |
|
proto |
The transport layer protocol associated with the event, for example, IP, ICMP, TCP, or UDP. |
|
rev |
The revision number of the intrusion rule that was triggered. |
|
refs |
A list of references (URLs) associated with the intrusion rule. These references provide additional information about the specific threat or vulnerability the rule is designed to detect. The references are expanded to full URLs in the log. |
|
sid |
The SID of the intrusion rule that triggered the log. This value is collected and displayed even if the rule is disabled. |
|
source |
The name of the inspector module that was assigned to process the flow. This identifies the specific component within Snort that detected the anomaly. The name of the module appears similar to that in the Network Analysis Policy. |