By default, YAIDS processed output to both stdout and to log files. The default stdout provides alerts (rule matches), and two logs are generated - the alerts and PCAP of the triggered packets.

The alert output contains the following fields:

  • Timestamp (YYYY-MM-DD HH:MM:SS)
  • Rule Name
  • Matching Rule Condition and Trigger Location
  • Matching Packet Data
  • Header Length: Length Yara Processed / PCAP Capture Length / Original Packet Length
  • Protocols: Link-Layer / Network / Transport
  • Layer-2 Source > Layer-2 Destination Addresses
  • Layer-3 Source > Layer-3 Destination Addresses and Layer-4 Ports (Address:Port)

An example alert:

2020-12-20 01:01:01 - Metasploit_Download [$s1:0x42:3] {GET /metasploitframework-latest.msi} [171:171/171] (ETH/IP/TCP) 10:00:00:00:00:B3 > 10:00:00:00:00:F7 - >