[Snort-sigs] gen_id in suppress and threshold rules

Gary_Portnoy at ...2451... Gary_Portnoy at ...2451...
Fri May 28 05:09:05 EDT 2004

Check out gen-msg.map, part of a rule distribution.

Gary Portnoy

Russell Fulton <r.fulton at ...575...>
Sent by: snort-sigs-admin at lists.sourceforge.net
05/27/2004 10:08 PM

        To:     snort-sigs at lists.sourceforge.net
        Subject:        [Snort-sigs] gen_id in suppress and threshold rules

Hi All,
                 After a small slammer outbreak that left several hundred 
alters in the database (it was only on the net for about 15 minutes)
I've decided that it is time I came to grips with thresholds.

The good book tells me I need both sig_id (no problems) and gen_id. 
I've looked high and low for a definition of gen_id (I found it stands
for generator_id but that does not really help).  All examples I have
found have gen_id as 1 and using this seems to work fine. 

But I'm curious, and I don't like mysteries :)

Anyone care to shed some light or point to a reference.

Cheers and thanks, Russell.

This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

This message is for the named person's use only. This communication is for 
informational purposes only and has been obtained from sources believed to 
be reliable, but it is not necessarily complete and its accuracy cannot be 
guaranteed. It is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation of any
transaction. Moreover, this material should not be construed to contain any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC

More information about the Snort-sigs mailing list