[Snort-users] [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138)

Joel Esler jesler at ...1935...
Tue Nov 1 11:22:06 EDT 2011


We'll take a look Will, thanks.  We're in the middle of a big change right now, so I'll take a look.


On Nov 1, 2011, at 11:04 AM, Will Metcalf wrote:

> Would it be possible to update the sid entry of the snort manual to
> reflect the existence of ET? For all practical purposes sids in the
> range of  2000000 - 3000000 should not be assigned to local rules, as
> this is the range used by ET. Even if people are dedicated VRT users,
> they may decided to cherry pick from the ET set every now and again,
> and dealing with sid overlaps sucks.   I realize that ET/VRT doesn't
> always see eye-to-eye but with 4 billion or so possible rule-id's
> whats the harm? I think this will just save a ton of confusion.
> Wasn't there supposed to be some like official body that was going to
> dole out sid-ranges or something a long time ago?
> 
> http://manual.snort.org/node30.html#keyword_sid
> 
> Regards,
> 
> Will
> 
> ---------- Forwarded message ----------
> From: shadowbq <reply+i-1646003-b8506d330676c4925c42dc95145e98d21ae1fd3d at ...15428...>
> Date: Mon, Oct 31, 2011 at 10:46 PM
> Subject: Re: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138)
> To: William Metcalf <william.metcalf at ...11827...>
> 
> 
> ```diff
>  if signature.sig_sid <= 1000000
> +      @signature_url = if Setting.vrt_signature_lookup?
> +        Setting.find(:vrt_signature_lookup)
> +      else
> +        VRT_SIGNATURE_URL
> +      end
> +    elsif (signature.sig_sid > 1000000) && (signature.sig_sid < 2000000)
> +      @signature_url = if Setting.local_signature_lookup?
> +        Setting.find(:local_signature_lookup)
> +      else
> +        LOCAL_SIGNATURE_URL
> +      end
> +    elsif (signature.sig_sid >= 2000000) && (signature.sig_sid < 3000000)
> +      @signature_url = if Setting.et_signature_lookup?
> +        Setting.find(:et_signature_lookup)
> +      else
> ```
> Signature SIDS dont really have a dedicated range and this is just
> best guessing. SIDs are generally a mess.
> 
> --
> Reply to this email directly or view it on GitHub:
> https://github.com/Snorby/snorby/issues/138#issuecomment-2586481
> 
> ------------------------------------------------------------------------------
> RSA® Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list