[Snort-sigs] Signature Naming Convention

Chris Green cmg at ...435...
Tue Apr 16 09:42:03 EDT 2002


Warchild <warchild at ...288...> writes:
>
> I totally agree.  Since I rely heavily on ACID for my interface into our
> sensor, a standard naming convention for the rules makes analyzing the gobs
> of alerts much easier.
>
> Another thing to consider is rules that detect different variants of one
> common attack -- x86 NOOP comes to mind.  If more than one rule has the same
> name (actually, the same 'msg' field), this makes sorting searching a bit
> more complicated.   At the same time, do I really care that a particular
> NOOP sled is one type vs the other?  It depends.

Take the time to point out msgs which collide in a confusing manner.
Each MSG should become unique and there are plenty of instances where
you will care.
-- 
Chris Green <cmg at ...435...>
Don't use a big word where a diminutive one will suffice.





More information about the Snort-sigs mailing list