[Snort-users] Custom rule sets

Chris Green cmg at ...671...
Mon Nov 26 08:31:07 EST 2001


"Madhav Diwan" <mdiwan at ...200...> writes:

> Hello,
>
>  
>  A few quick questions for those in the know,
>
> If I make a custom rule for some type of signature that i define myself
> and i dont have a sid  in the rule .. how does this affect the placement
> of an alert from that rule into a Snort MySQL database ?

Custom ( User defined ) rules can use the 1000000+ sid range.
>
> who ( what agency,... or is it Marty or someone else on development
> teams ) defines the sid number for a signature?

The snort development team is the official answer for that I believe

> how do we submit signatures for inclusion into the rulesets?

Post to snort sigs
>
> Is each sid unique?

Yes ( supposed to be )

> .. what role does the revision number play?...

Rules aren't always right the first time

>
> The two big questions would be:
>
> ****CAN I MAKE AN INDEX of the rules based on SID numbers?... this would
> help in creating an autoupdate utility for the rule sets.

yes. This is what sid-msg.map is

> ****How do i define my own rule numbers/ sid numbers without messing up
> the way i update rules from cvs.. 
> I.E.  is there a set of sid numbers that is RESERVED for user defined
> sigantures?

Yup see above.

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.26

>
>
> Finally,
>
> what other ways are there for us to uniquly tag custom signature rules?

Your own custom prefix msg. Your own rule type. Your own include
file.  etc. 


-- 
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list