[Snort-users] Rule code

Jan van den Berg jan at ...8420...
Wed May 14 20:36:06 EDT 2003


Hello there,

 

I'm working on a piece of program that queries the Snort database. 

For this program I need to know what rule corresponds with what
signature.

See I am a bit confused with the signatures and the rules. Right now I
am thinking

that every ruleset has a signature, is this true? Or does every rule
itself have a signature?

When I do a "SELECT * FROM EVENT; " I see a SID CID SIGNATURE and a
TIMESTAMP column. 

So my guess is that it's the SIGNATURE column is the one that holds a
reference to the rule(set).

 

I need to find out what ruleset has been applied when an alert is logged
(dns.rules, dos.rules, netbios.rules etc.).

What is the best way to find this out, and how does the ruleset
correlates with the SIGNATURES?

 

Regards,


Jan van den Berg

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030514/fefc1b7c/attachment.html>


More information about the Snort-users mailing list