[Snort-sigs] gen_id in suppress and threshold rules

Chris Keladis Chris.Keladis at ...2461...
Tue Jun 1 08:21:31 EDT 2004


At 12:08 PM 28/05/2004, Russell Fulton wrote:

Hi Russell,

>The good book tells me I need both sig_id (no problems) and gen_id.
>I've looked high and low for a definition of gen_id (I found it stands
>for generator_id but that does not really help).  All examples I have
>found have gen_id as 1 and using this seems to work fine.

gen_id 1 is the GID for the Snort engine itself.

The Snort pre-processors use unique GIDs with their own SIDs.

You can find the GID/SID matrix in the Snort source, in the generators.h file.

This should be all the info you need to configure thresholds.





Regards,

Chris.






More information about the Snort-sigs mailing list