snort-sigs September 2010 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rule

Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-09-27

From: Nigel Houghton <nhoughton_at_nospam>
Date: Tue Sep 28 2010 - 17:39:43 GMT
To: Eoin Miller <eoin.miller@trojanedbinaries.com>

On Tue, 28 Sep 2010 17:29:35 +0000, Eoin Miller wrote:
> On 9/28/2010 5:25 PM, waldo kitty wrote:
>> On 9/28/2010 11:03, infosec posts wrote:
>>> I have to ask, because I must be missing something here.
>>>
>>> SID:17494 - web-client.rules -
>> what's the GID? i suspect it is 3??
>>
>> FWIW: i see that the GID is becoming more and more important when
>> talking about
>> rules...
>>
> It's (the GID) going to be 1 because that ruleset is not for a preprocessor.
>
> -- Eoin

To be clear:

Shared object rules are not pre-processors, they have a GID of 3. They
use the same SID range as regular rules (GID 1).

Pre-processors do not use the same SID range.

Yes, it is important to use the GID:SID tuple when talking about
events, it is also useful to include the rev of the rule, so
GID:SID:Rev is preferred.

-- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs