[Snort-sigs] gen_id in suppress and threshold rules
r.fulton at ...575...
Thu May 27 19:10:01 EDT 2004
After a small slammer outbreak that left several hundred thousand
alters in the database (it was only on the net for about 15 minutes)
I've decided that it is time I came to grips with thresholds.
The good book tells me I need both sig_id (no problems) and gen_id.
I've looked high and low for a definition of gen_id (I found it stands
for generator_id but that does not really help). All examples I have
found have gen_id as 1 and using this seems to work fine.
But I'm curious, and I don't like mysteries :)
Anyone care to shed some light or point to a reference.
Cheers and thanks, Russell.
More information about the Snort-sigs