Re: Custom rule sets

[Chris Green <cmg () uab edu>]

"Madhav Diwan" <mdiwan () wagweb com> writes:

> Hello,
>
>  
>  A few quick questions for those in the know,
>
> If I make a custom rule for some type of signature that i define myself
> and i dont have a sid  in the rule .. how does this affect the placement
> of an alert from that rule into a Snort MySQL database ?

Custom ( User defined ) rules can use the 1000000+ sid range.
> who ( what agency,... or is it Marty or someone else on development
> teams ) defines the sid number for a signature?

The snort development team is the official answer for that I believe

> how do we submit signatures for inclusion into the rulesets?

Post to snort sigs
> Is each sid unique?

Yes ( supposed to be )

> .. what role does the revision number play?...

Rules aren't always right the first time

> The two big questions would be:
>
> ****CAN I MAKE AN INDEX of the rules based on SID numbers?... this would
> help in creating an autoupdate utility for the rule sets.

yes. This is what sid-msg.map is

> ****How do i define my own rule numbers/ sid numbers without messing up
> the way i update rules from cvs.. 
> I.E.  is there a set of sid numbers that is RESERVED for user defined
> sigantures?

Yup see above.

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.26

> Finally,
>
> what other ways are there for us to uniquly tag custom signature rules?

Your own custom prefix msg. Your own rule type. Your own include
file.  etc. 


-- 
Chris Green <cmg () uab edu>
Laugh and the world laughs with you, snore and you sleep alone.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users