[Snort-users] Fwd: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138)

Will Metcalf william.metcalf at ...11827...
Tue Nov 1 11:04:44 EDT 2011


Would it be possible to update the sid entry of the snort manual to
reflect the existence of ET? For all practical purposes sids in the
range of  2000000 - 3000000 should not be assigned to local rules, as
this is the range used by ET. Even if people are dedicated VRT users,
they may decided to cherry pick from the ET set every now and again,
and dealing with sid overlaps sucks.   I realize that ET/VRT doesn't
always see eye-to-eye but with 4 billion or so possible rule-id's
whats the harm? I think this will just save a ton of confusion.
Wasn't there supposed to be some like official body that was going to
dole out sid-ranges or something a long time ago?

http://manual.snort.org/node30.html#keyword_sid

Regards,

Will

---------- Forwarded message ----------
From: shadowbq <reply+i-1646003-b8506d330676c4925c42dc95145e98d21ae1fd3d at ...846....15428...>
Date: Mon, Oct 31, 2011 at 10:46 PM
Subject: Re: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138)
To: William Metcalf <william.metcalf at ...11827...>


```diff
 if signature.sig_sid <= 1000000
+      @...15430... = if Setting.vrt_signature_lookup?
+        Setting.find(:vrt_signature_lookup)
+      else
+        VRT_SIGNATURE_URL
+      end
+    elsif (signature.sig_sid > 1000000) && (signature.sig_sid < 2000000)
+      @...15430... = if Setting.local_signature_lookup?
+        Setting.find(:local_signature_lookup)
+      else
+        LOCAL_SIGNATURE_URL
+      end
+    elsif (signature.sig_sid >= 2000000) && (signature.sig_sid < 3000000)
+      @...15430... = if Setting.et_signature_lookup?
+        Setting.find(:et_signature_lookup)
+      else
```
Signature SIDS dont really have a dedicated range and this is just
best guessing. SIDs are generally a mess.

--
Reply to this email directly or view it on GitHub:
https://github.com/Snorby/snorby/issues/138#issuecomment-2586481




More information about the Snort-users mailing list