[Snort-sigs] rule revision tracking

Matt Kettler mkettler at ...189...
Fri Jul 9 10:25:03 EDT 2004

At 11:03 AM 7/9/2004, John Nagro wrote:
>With the fairly frequent changes to rule sets (espcially in bleedingsnort and
>custom rules made up as a rapid response to an attack/virus/etc) it
>would be nice
>to be able to tell which revision # of a rule set off an alert in
>question. I dont
>think there is currently any way to track this, but if there is could
>someone clue
>me in?

It's in there.

See this message:

[**] [1:485:4] ICMP Destination Unreachable Communication Administratively 
Prohibited [**]

the [1:485:4] is important. 1 indicates it was a rule (ie: not a 
preprocessor) 485 is the rule's SID, 4 is the revision of the rule.

More information about the Snort-sigs mailing list