[Snort-devel] SIDs & user defined rules

Chris Green cmg at ...81...
Thu Jun 14 12:14:03 EDT 2001


Is there a convention for sid assignment for user defined rules?

It seems 1-100 is reserved for spp's.

Perhaps instead of 1-100, add an additional field that represents the
type of alert:

1 - spp
2 - official snort rule
3 - user defined rule

Is the sid and sid-msg.map going to be used only by Brian for
assigning ``official'' snort rules?

Having such a table output at runtime could be a useful thing for
processing.
-- 
Chris Green <cmg at ...81...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-devel mailing list