Snort mailing list archives
Re: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138)
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 1 Nov 2011 11:22:06 -0400
We'll take a look Will, thanks. We're in the middle of a big change right now, so I'll take a look. On Nov 1, 2011, at 11:04 AM, Will Metcalf wrote:
Would it be possible to update the sid entry of the snort manual to reflect the existence of ET? For all practical purposes sids in the range of 2000000 - 3000000 should not be assigned to local rules, as this is the range used by ET. Even if people are dedicated VRT users, they may decided to cherry pick from the ET set every now and again, and dealing with sid overlaps sucks. I realize that ET/VRT doesn't always see eye-to-eye but with 4 billion or so possible rule-id's whats the harm? I think this will just save a ton of confusion. Wasn't there supposed to be some like official body that was going to dole out sid-ranges or something a long time ago? http://manual.snort.org/node30.html#keyword_sid Regards, Will ---------- Forwarded message ---------- From: shadowbq <reply+i-1646003-b8506d330676c4925c42dc95145e98d21ae1fd3d () reply github com> Date: Mon, Oct 31, 2011 at 10:46 PM Subject: Re: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138) To: William Metcalf <william.metcalf () gmail com> ```diff if signature.sig_sid <= 1000000 + @signature_url = if Setting.vrt_signature_lookup? + Setting.find(:vrt_signature_lookup) + else + VRT_SIGNATURE_URL + end + elsif (signature.sig_sid > 1000000) && (signature.sig_sid < 2000000) + @signature_url = if Setting.local_signature_lookup? + Setting.find(:local_signature_lookup) + else + LOCAL_SIGNATURE_URL + end + elsif (signature.sig_sid >= 2000000) && (signature.sig_sid < 3000000) + @signature_url = if Setting.et_signature_lookup? + Setting.find(:et_signature_lookup) + else ``` Signature SIDS dont really have a dedicated range and this is just best guessing. SIDs are generally a mess. -- Reply to this email directly or view it on GitHub: https://github.com/Snorby/snorby/issues/138#issuecomment-2586481 ------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138) Will Metcalf (Nov 01)
- Re: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138) Joel Esler (Nov 01)
- Re: Fwd: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138) JJC (Nov 01)