[Snort-sigs] gen_id in suppress and threshold rules
Chris.Keladis at ...2461...
Tue Jun 1 08:21:31 EDT 2004
At 12:08 PM 28/05/2004, Russell Fulton wrote:
>The good book tells me I need both sig_id (no problems) and gen_id.
>I've looked high and low for a definition of gen_id (I found it stands
>for generator_id but that does not really help). All examples I have
>found have gen_id as 1 and using this seems to work fine.
gen_id 1 is the GID for the Snort engine itself.
The Snort pre-processors use unique GIDs with their own SIDs.
You can find the GID/SID matrix in the Snort source, in the generators.h file.
This should be all the info you need to configure thresholds.
More information about the Snort-sigs