[Snort-sigs] gen_id in suppress and threshold rules

Russell Fulton r.fulton at ...575...
Thu May 27 19:10:01 EDT 2004


Hi All,
	After a small slammer outbreak that left several hundred thousand
alters in the database (it was only on the net for about 15 minutes)
I've decided that it is time I came to grips with thresholds.

The good book tells me I need both sig_id (no problems) and gen_id. 
I've looked high and low for a definition of gen_id (I found it stands
for generator_id but that does not really help).  All examples I have
found have gen_id as 1 and using this seems to work fine. 

But I'm curious, and I don't like mysteries :)

Anyone care to shed some light or point to a reference.

Cheers and thanks, Russell.





More information about the Snort-sigs mailing list