[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-27

Nigel Houghton nhoughton at ...435...
Tue Sep 28 13:39:43 EDT 2010

On Tue, 28 Sep 2010 17:29:35 +0000, Eoin Miller wrote:
>   On 9/28/2010 5:25 PM, waldo kitty wrote:
>> On 9/28/2010 11:03, infosec posts wrote:
>>> I have to ask, because I must be missing something here.
>>> SID:17494 - web-client.rules -
>> what's the GID? i suspect it is 3??
>> FWIW: i see that the GID is becoming more and more important when 
>> talking about
>> rules...
> It's (the GID) going to be 1 because that ruleset is not for a preprocessor.
> -- Eoin

To be clear:

Shared object rules are not pre-processors, they have a GID of 3. They 
use the same SID range as regular rules (GID 1).

Pre-processors do not use the same SID range.

Yes, it is important to use the GID:SID tuple when talking about 
events, it is also useful to include the rev of the rule, so 
GID:SID:Rev is preferred.

Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

More information about the Snort-sigs mailing list