[Snort-users] Custom rule sets

Chris Green cmg at ...671...
Mon Nov 26 08:31:07 EST 2001

"Madhav Diwan" <mdiwan at ...200...> writes:

> Hello,
>  A few quick questions for those in the know,
> If I make a custom rule for some type of signature that i define myself
> and i dont have a sid  in the rule .. how does this affect the placement
> of an alert from that rule into a Snort MySQL database ?

Custom ( User defined ) rules can use the 1000000+ sid range.
> who ( what agency,... or is it Marty or someone else on development
> teams ) defines the sid number for a signature?

The snort development team is the official answer for that I believe

> how do we submit signatures for inclusion into the rulesets?

Post to snort sigs
> Is each sid unique?

Yes ( supposed to be )

> .. what role does the revision number play?...

Rules aren't always right the first time

> The two big questions would be:
> ****CAN I MAKE AN INDEX of the rules based on SID numbers?... this would
> help in creating an autoupdate utility for the rule sets.

yes. This is what sid-msg.map is

> ****How do i define my own rule numbers/ sid numbers without messing up
> the way i update rules from cvs.. 
> I.E.  is there a set of sid numbers that is RESERVED for user defined
> sigantures?

Yup see above.


> Finally,
> what other ways are there for us to uniquly tag custom signature rules?

Your own custom prefix msg. Your own rule type. Your own include
file.  etc. 

Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.

More information about the Snort-users mailing list