[Snort-users] Fwd: [snorby] VRT/ET/Local rule look-ups by assigned sid range. (#138)

JJC cummingsj at ...11827...
Tue Nov 1 11:36:53 EDT 2011


There are a lot of users that use sid values in this range for their own
(non-ET) rules.  I'm curios what you mean about SID overlap, as the only
overlap was caused by ET publishing sids that are below the 1M mark?  There
are absolutely no VRT sids that are in the reserved local range of >
999,999, thusly not causing any overlap in that range.

My .02 anyway

JJC

On Tue, Nov 1, 2011 at 9:04 AM, Will Metcalf <william.metcalf at ...11827...>wrote:

> Would it be possible to update the sid entry of the snort manual to
> reflect the existence of ET? For all practical purposes sids in the
> range of  2000000 - 3000000 should not be assigned to local rules, as
> this is the range used by ET. Even if people are dedicated VRT users,
> they may decided to cherry pick from the ET set every now and again,
> and dealing with sid overlaps sucks.   I realize that ET/VRT doesn't
> always see eye-to-eye but with 4 billion or so possible rule-id's
> whats the harm? I think this will just save a ton of confusion.
> Wasn't there supposed to be some like official body that was going to
> dole out sid-ranges or something a long time ago?
>
> http://manual.snort.org/node30.html#keyword_sid
>
> Regards,
>
> Will
>
> ---------- Forwarded message ----------
> From: shadowbq <
> reply+i-1646003-b8506d330676c4925c42dc95145e98d21ae1fd3d at ...15428...>
> Date: Mon, Oct 31, 2011 at 10:46 PM
> Subject: Re: [snorby] VRT/ET/Local rule look-ups by assigned sid range.
> (#138)
> To: William Metcalf <william.metcalf at ...11827...>
>
>
> ```diff
>  if signature.sig_sid <= 1000000
> +      @signature_url = if Setting.vrt_signature_lookup?
> +        Setting.find(:vrt_signature_lookup)
> +      else
> +        VRT_SIGNATURE_URL
> +      end
> +    elsif (signature.sig_sid > 1000000) && (signature.sig_sid < 2000000)
> +      @signature_url = if Setting.local_signature_lookup?
> +        Setting.find(:local_signature_lookup)
> +      else
> +        LOCAL_SIGNATURE_URL
> +      end
> +    elsif (signature.sig_sid >= 2000000) && (signature.sig_sid < 3000000)
> +      @signature_url = if Setting.et_signature_lookup?
> +        Setting.find(:et_signature_lookup)
> +      else
> ```
> Signature SIDS dont really have a dedicated range and this is just
> best guessing. SIDs are generally a mess.
>
> --
> Reply to this email directly or view it on GitHub:
> https://github.com/Snorby/snorby/issues/138#issuecomment-2586481
>
>
> ------------------------------------------------------------------------------
> RSA® Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111101/7cfc9265/attachment.html>


More information about the Snort-users mailing list