Snort mailing list archives
Rule code
From: "Jan van den Berg" <jan () e-commercepark com>
Date: Wed, 14 May 2003 23:29:30 -0400
Hello there, I'm working on a piece of program that queries the Snort database. For this program I need to know what rule corresponds with what signature. See I am a bit confused with the signatures and the rules. Right now I am thinking that every ruleset has a signature, is this true? Or does every rule itself have a signature? When I do a "SELECT * FROM EVENT; " I see a SID CID SIGNATURE and a TIMESTAMP column. So my guess is that it's the SIGNATURE column is the one that holds a reference to the rule(set). I need to find out what ruleset has been applied when an alert is logged (dns.rules, dos.rules, netbios.rules etc.). What is the best way to find this out, and how does the ruleset correlates with the SIGNATURES? Regards, Jan van den Berg
Current thread:
- Rule code Jan van den Berg (May 14)