[Snort-sigs] OSSRC Rules Overlap Committee

Jeff Kell jeff-kell at ...922...
Tue Jan 31 17:31:01 EST 2006


Blake Hartstein wrote:
> Dear Current or Future Committee Members,
> As a possible solution to this problem, I think it would be reasonable
> to allow a 'vendor' keyword in the sid keyword. Take the following as
> an example,
> FORMAT sid:vendor,value;
>
> sid:vrt,1234;
> sid:bleeding,1234; 
The schema is already a bit crowded with generator-id, sig-id,
classification-id, and revision.

Your suggestion would work if we just asigned 'registered'
vendors/organizations a numeric range of existing sid values.  That
would suffice for now.  If the snort parser/oinkmaster/barnyard and
other tools want to adjust their interfaces to handle the 'vendor/sid'
translation to 'effective-sid' then fine, but it's not necessary.

Jeff




More information about the Snort-sigs mailing list