Snort mailing list archives
Re: Custom rule sets
From: Chris Green <cmg () uab edu>
Date: Mon, 26 Nov 2001 10:30:58 -0600
"Madhav Diwan" <mdiwan () wagweb com> writes:
Hello, A few quick questions for those in the know, If I make a custom rule for some type of signature that i define myself and i dont have a sid in the rule .. how does this affect the placement of an alert from that rule into a Snort MySQL database ?
Custom ( User defined ) rules can use the 1000000+ sid range.
who ( what agency,... or is it Marty or someone else on development teams ) defines the sid number for a signature?
The snort development team is the official answer for that I believe
how do we submit signatures for inclusion into the rulesets?
Post to snort sigs
Is each sid unique?
Yes ( supposed to be )
.. what role does the revision number play?...
Rules aren't always right the first time
The two big questions would be: ****CAN I MAKE AN INDEX of the rules based on SID numbers?... this would help in creating an autoupdate utility for the rule sets.
yes. This is what sid-msg.map is
****How do i define my own rule numbers/ sid numbers without messing up the way i update rules from cvs.. I.E. is there a set of sid numbers that is RESERVED for user defined sigantures?
Yup see above. http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.26
Finally, what other ways are there for us to uniquly tag custom signature rules?
Your own custom prefix msg. Your own rule type. Your own include file. etc. -- Chris Green <cmg () uab edu> Laugh and the world laughs with you, snore and you sleep alone. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Custom rule sets Madhav Diwan (Nov 26)
- Re: Custom rule sets Chris Green (Nov 26)
- <Possible follow-ups>
- Re: Custom rule sets Roman Danyliw (Nov 26)