[Snort-users] Custom rule sets
cmg at ...671...
Mon Nov 26 08:31:07 EST 2001
"Madhav Diwan" <mdiwan at ...200...> writes:
> A few quick questions for those in the know,
> If I make a custom rule for some type of signature that i define myself
> and i dont have a sid in the rule .. how does this affect the placement
> of an alert from that rule into a Snort MySQL database ?
Custom ( User defined ) rules can use the 1000000+ sid range.
> who ( what agency,... or is it Marty or someone else on development
> teams ) defines the sid number for a signature?
The snort development team is the official answer for that I believe
> how do we submit signatures for inclusion into the rulesets?
Post to snort sigs
> Is each sid unique?
Yes ( supposed to be )
> .. what role does the revision number play?...
Rules aren't always right the first time
> The two big questions would be:
> ****CAN I MAKE AN INDEX of the rules based on SID numbers?... this would
> help in creating an autoupdate utility for the rule sets.
yes. This is what sid-msg.map is
> ****How do i define my own rule numbers/ sid numbers without messing up
> the way i update rules from cvs..
> I.E. is there a set of sid numbers that is RESERVED for user defined
Yup see above.
> what other ways are there for us to uniquly tag custom signature rules?
Your own custom prefix msg. Your own rule type. Your own include
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.
More information about the Snort-users