Snort mailing list archives
Fwd: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138)
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 1 Nov 2011 10:04:44 -0500
Would it be possible to update the sid entry of the snort manual to reflect the existence of ET? For all practical purposes sids in the range of 2000000 - 3000000 should not be assigned to local rules, as this is the range used by ET. Even if people are dedicated VRT users, they may decided to cherry pick from the ET set every now and again, and dealing with sid overlaps sucks. I realize that ET/VRT doesn't always see eye-to-eye but with 4 billion or so possible rule-id's whats the harm? I think this will just save a ton of confusion. Wasn't there supposed to be some like official body that was going to dole out sid-ranges or something a long time ago? http://manual.snort.org/node30.html#keyword_sid Regards, Will ---------- Forwarded message ---------- From: shadowbq <reply+i-1646003-b8506d330676c4925c42dc95145e98d21ae1fd3d () reply github com> Date: Mon, Oct 31, 2011 at 10:46 PM Subject: Re: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138) To: William Metcalf <william.metcalf () gmail com> ```diff if signature.sig_sid <= 1000000 + @signature_url = if Setting.vrt_signature_lookup? + Setting.find(:vrt_signature_lookup) + else + VRT_SIGNATURE_URL + end + elsif (signature.sig_sid > 1000000) && (signature.sig_sid < 2000000) + @signature_url = if Setting.local_signature_lookup? + Setting.find(:local_signature_lookup) + else + LOCAL_SIGNATURE_URL + end + elsif (signature.sig_sid >= 2000000) && (signature.sig_sid < 3000000) + @signature_url = if Setting.et_signature_lookup? + Setting.find(:et_signature_lookup) + else ``` Signature SIDS dont really have a dedicated range and this is just best guessing. SIDs are generally a mess. -- Reply to this email directly or view it on GitHub: https://github.com/Snorby/snorby/issues/138#issuecomment-2586481 ------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138) Will Metcalf (Nov 01)