[Snort-sigs] Signature Naming Convention
cmg at ...435...
Tue Apr 16 09:42:03 EDT 2002
Warchild <warchild at ...288...> writes:
> I totally agree. Since I rely heavily on ACID for my interface into our
> sensor, a standard naming convention for the rules makes analyzing the gobs
> of alerts much easier.
> Another thing to consider is rules that detect different variants of one
> common attack -- x86 NOOP comes to mind. If more than one rule has the same
> name (actually, the same 'msg' field), this makes sorting searching a bit
> more complicated. At the same time, do I really care that a particular
> NOOP sled is one type vs the other? It depends.
Take the time to point out msgs which collide in a confusing manner.
Each MSG should become unique and there are plenty of instances where
you will care.
Chris Green <cmg at ...435...>
Don't use a big word where a diminutive one will suffice.
More information about the Snort-sigs