--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast'
+ hostname: 'niban'
+ program_name: 'sudo'
+ log: ' dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast'
+
+**Phase 2: Completed decoding.
+ decoder: 'sudo'
+ dstuser: 'dcid'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5403'
+ Level: '4'
+ Description: 'First time user executed sudo.'
+**Alert to be generated.
+
+