[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-27
nhoughton at ...435...
Tue Sep 28 13:39:43 EDT 2010
On Tue, 28 Sep 2010 17:29:35 +0000, Eoin Miller wrote:
> On 9/28/2010 5:25 PM, waldo kitty wrote:
>> On 9/28/2010 11:03, infosec posts wrote:
>>> I have to ask, because I must be missing something here.
>>> SID:17494 - web-client.rules -
>> what's the GID? i suspect it is 3??
>> FWIW: i see that the GID is becoming more and more important when
>> talking about
> It's (the GID) going to be 1 because that ruleset is not for a preprocessor.
> -- Eoin
To be clear:
Shared object rules are not pre-processors, they have a GID of 3. They
use the same SID range as regular rules (GID 1).
Pre-processors do not use the same SID range.
Yes, it is important to use the GID:SID tuple when talking about
events, it is also useful to include the rev of the rule, so
GID:SID:Rev is preferred.
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
More information about the Snort-sigs