[Snort-sigs] OSSRC Rules Overlap Committee
jeff-kell at ...922...
Tue Jan 31 17:31:01 EST 2006
Blake Hartstein wrote:
> Dear Current or Future Committee Members,
> As a possible solution to this problem, I think it would be reasonable
> to allow a 'vendor' keyword in the sid keyword. Take the following as
> an example,
> FORMAT sid:vendor,value;
The schema is already a bit crowded with generator-id, sig-id,
classification-id, and revision.
Your suggestion would work if we just asigned 'registered'
vendors/organizations a numeric range of existing sid values. That
would suffice for now. If the snort parser/oinkmaster/barnyard and
other tools want to adjust their interfaces to handle the 'vendor/sid'
translation to 'effective-sid' then fine, but it's not necessary.
More information about the Snort-sigs