[Snort-sigs] gen_id in suppress and threshold rules
r.fulton at ...575...
Thu May 27 23:46:18 EDT 2004
On Fri, 2004-05-28 at 16:53, Chris Keladis wrote:
> At 12:08 PM 28/05/2004, Russell Fulton wrote:
> Hi Russell,
> >The good book tells me I need both sig_id (no problems) and gen_id.
> >I've looked high and low for a definition of gen_id (I found it stands
> >for generator_id but that does not really help). All examples I have
> >found have gen_id as 1 and using this seems to work fine.
> gen_id 1 is the GID for the Snort engine itself.
I sort of figured that :)
> The Snort pre-processors use unique GIDs with their own SIDs.
and also guessed that. The sids are documented in the snort.conf file
but not the GIDs. This would be worthwhile doing.
> You can find the GID/SID matrix in the Snort source, in the generators.h file.
Ah! I'll snarf that then.
Request to the sourcefire team: would someone please put a few lines in
the manual about GIDs perhaps with a pointer to the generators.h file.
PS. If someone will agree to have the GIDs in the snort.conf file I'll
volunteer to update a current copy and send it back...
Gee comes to that I'll even write a bit for the manual but since I
really don't know anything I would rather someone who knew the real
story did it.
Russell Fulton, Computer and Network Security Officer.
The University of Auckland, New Zealand.
More information about the Snort-sigs