Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Display Filter Reference: Snort Alerts

Protocol field name: snort

Versions: 2.4.0 to 4.2.4

Back to Display Filter Reference

Field name Description Type Versions
snort.alert.expertSnort alert detectedLabel2.4.0 to 4.2.4
snort.classAlert ClassificationCharacter string2.4.0 to 4.2.4
snort.contentContentCharacter string2.4.0 to 4.2.4
snort.content.not-matchedFailed to find content field of alert in frameLabel2.4.0 to 4.2.4
snort.generatorRule GeneratorUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.global-statsGlobal StatsCharacter string2.4.0 to 4.2.4
snort.global-stats.match-numberMatch numberUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.global-stats.rule-countNumber of rulesUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.global-stats.rule-file-countNumber of rule filesUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.global-stats.rule.alerts-countNumber of alerts for this ruleUnsigned integer (32 bits)3.4.0 to 4.2.4
snort.global-stats.rule.match-numberMatch number for this ruleUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.global-stats.total-alertsNumber of alerts detectedUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.msgAlert MessageCharacter string2.4.0 to 4.2.4
snort.pcrePCRECharacter string2.4.0 to 4.2.4
snort.priorityAlert PriorityUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.protocolProtocolCharacter string2.4.0 to 4.2.4
snort.raw-alertRaw AlertCharacter string2.4.0 to 4.2.4
snort.reassembled_fromSegment where alert was triggeredFrame number2.4.0 to 4.2.4
snort.reassembled_inReassembled frame where alert is shownFrame number2.4.0 to 4.2.4
snort.referenceReferenceCharacter string2.4.0 to 4.2.4
snort.revRule RevisionUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.ruleRuleCharacter string2.4.0 to 4.2.4
snort.rule-filenameRule FilenameCharacter string2.4.0 to 4.2.4
snort.rule-ip-varIP variableLabel2.4.0 to 4.2.4
snort.rule-line-numberLine number within rules file where rule was parsed fromUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.rule-port-varPort variable used in ruleLabel2.4.0 to 4.2.4
snort.rule-stringRule StringCharacter string2.4.0 to 4.2.4
snort.sidRule SIDUnsigned integer (32 bits)2.4.0 to 4.2.4
snort.uricontentURI ContentCharacter string2.4.0 to 4.2.4

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube