[Snort-devel] RFC Snort Rules Unique Identifier

Fyodor fygrave at ...1...
Tue Apr 17 16:37:40 EDT 2001


 
> CHANGES TO ALERT FORMAT:
> The revised snort alert would look like
> [**] UID: #### REV: ####  Message [**]  blah blah blah...
 
> MANAGEMENT OF UID SPACE:
> Somebody needs to centrally manage the UID space. Jim? Brian? Max? UID's 0-999
> could be reserved for local homebrewed rules, so no rule in the snort.org
> database would be given an id out of this range. UID's 1000-9999 could belong
> to snort.org. UID's 10000-19999 could belong to Arachnids. And similar ranges
> could be farmed out to other folks who wish to make rules available outside the
> snort.org database.
> 

heh.. obviously it makes sense (at least to me), althrough having uid and rev fields sounds
like an overkill, maybe something like: ruleID: [id].[rev] would be enough? 

As for rulemanagement, there are quite some overlapping rules in distributed
with snort rulebase, the one which comes from snort.org and arachnids, does it
really make sense to split the ruleID space between the 'rule vendors' so to
say? Maybe would be enough to have some central ruleID-tracking mechanism
(http://www.snort.org/cgi-bin/getruleid.cgi?vendor=...&auth=yourdoperpassword'?
:*)) so when new rule is about to be submitted new rule ID should be obtained?  :)


just $.02




More information about the Snort-devel mailing list