Rule code

["Jan van den Berg" <jan () e-commercepark com>]

Hello there,

 

I'm working on a piece of program that queries the Snort database. 

For this program I need to know what rule corresponds with what
signature.

See I am a bit confused with the signatures and the rules. Right now I
am thinking

that every ruleset has a signature, is this true? Or does every rule
itself have a signature?

When I do a "SELECT * FROM EVENT; " I see a SID CID SIGNATURE and a
TIMESTAMP column. 

So my guess is that it's the SIGNATURE column is the one that holds a
reference to the rule(set).

 

I need to find out what ruleset has been applied when an alert is logged
(dns.rules, dos.rules, netbios.rules etc.).

What is the best way to find this out, and how does the ruleset
correlates with the SIGNATURES?

 

Regards,


Jan van den Berg