[Snort-devel] Reference information in rules

Chris Green cmg at ...81...
Sat Oct 14 22:46:32 EDT 2000


Martin Roesch <roesch at ...48...> writes:

> Joe McAlerney wrote:
> > 
> > What are your thoughts on this?  I don't think it would take to long to
> > put together, and I would be willing to do so if people wanted.  Maybe
> > it will inspire someone to start putting one ID or another on all the
> > snort.org rules.  NOTE: my hand is not raised.
> 
> Good idea, but we've got to resolve how all this fits in with the arachNIDS
> data, which has its own numbering scheme.  Max?

What about  origin + id#?  IDS\d+ goes to the arachNIDS db and for
custom rules mine would be CMG1, CMG2, etc.  Perhaps
domain.name+number would keep things straight.  It wouldn't be bad to
break this information apart from the msg alert so that it would be
easy to customize what to do with the vendor/id info without having to
do this processing later on the alert logs.

This give a way to split logs on the back end with little effort as
well. 
-- 
Chris Green <cmg at ...81...>
This is my signature. There are many like it but this one is mine.



More information about the Snort-devel mailing list