Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27

[Nigel Houghton <nhoughton () sourcefire com>]

On Tue, 28 Sep 2010 17:29:35 +0000, Eoin Miller wrote:
>   On 9/28/2010 5:25 PM, waldo kitty wrote:
> > On 9/28/2010 11:03, infosec posts wrote:
> > > I have to ask, because I must be missing something here.
> > >
> > > SID:17494 - web-client.rules -
> > what's the GID? i suspect it is 3??
> >
> > FWIW: i see that the GID is becoming more and more important when 
> > talking about
> > rules...
> It's (the GID) going to be 1 because that ruleset is not for a preprocessor.
>
> -- Eoin

To be clear:

Shared object rules are not pre-processors, they have a GID of 3. They 
use the same SID range as regular rules (GID 1).

Pre-processors do not use the same SID range.

Yes, it is important to use the GID:SID tuple when talking about 
events, it is also useful to include the rev of the rule, so 
GID:SID:Rev is preferred.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs