[Snort-sigs] gen_id in suppress and threshold rules

Nerijus Krukauskas nk99 at ...2507...
Thu May 27 23:52:05 EDT 2004

Russell Fulton wrote:
> The good book tells me I need both sig_id (no problems) and gen_id. 
> I've looked high and low for a definition of gen_id (I found it stands
> for generator_id but that does not really help).  All examples I have
> found have gen_id as 1 and using this seems to work fine. 

   Take a look at 'generators' and 'gen-msg.map' files (they should be 
along with all '*.rules' files). This should give you some info on 
what gen_id is.

NK @ Vilnius

Yesterday upon the stair I met a man who wasn't there. He wasn't there 
again today -- I think he's from the CIA.

More information about the Snort-sigs mailing list