[Snort-sigs] gen_id in suppress and threshold rules

Russell Fulton r.fulton at ...575...
Thu May 27 23:46:18 EDT 2004


Thanks Chris,

On Fri, 2004-05-28 at 16:53, Chris Keladis wrote:
> At 12:08 PM 28/05/2004, Russell Fulton wrote:
> 
> Hi Russell,
> 
> >The good book tells me I need both sig_id (no problems) and gen_id.
> >I've looked high and low for a definition of gen_id (I found it stands
> >for generator_id but that does not really help).  All examples I have
> >found have gen_id as 1 and using this seems to work fine.
> 
> gen_id 1 is the GID for the Snort engine itself.

I sort of figured that :)
> 
> The Snort pre-processors use unique GIDs with their own SIDs.
> 
and also guessed that.  The sids are documented in the snort.conf file
but not the GIDs.  This would be worthwhile doing.

> You can find the GID/SID matrix in the Snort source, in the generators.h file.

Ah! I'll snarf that then.

Request to the sourcefire team: would someone please put a few lines in
the manual about GIDs perhaps with a pointer to the generators.h file.

Thanks, Russell.

PS. If someone will agree to have the GIDs in the snort.conf file I'll
volunteer to update a current copy and send it back...

Gee comes to that I'll even write a bit for the manual but since I
really don't know anything I would rather someone who knew the real
story did it.

Cheers, Russell.
-- 
Russell Fulton, Computer and Network Security Officer.
The University of Auckland, New Zealand.





More information about the Snort-sigs mailing list