Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Tue, 28 Sep 2010 13:39:43 -0400
On Tue, 28 Sep 2010 17:29:35 +0000, Eoin Miller wrote:
On 9/28/2010 5:25 PM, waldo kitty wrote:On 9/28/2010 11:03, infosec posts wrote:I have to ask, because I must be missing something here. SID:17494 - web-client.rules -what's the GID? i suspect it is 3?? FWIW: i see that the GID is becoming more and more important when talking about rules...It's (the GID) going to be 1 because that ruleset is not for a preprocessor. -- Eoin
To be clear: Shared object rules are not pre-processors, they have a GID of 3. They use the same SID range as regular rules (GID 1). Pre-processors do not use the same SID range. Yes, it is important to use the GID:SID tuple when talking about events, it is also useful to include the rev of the rule, so GID:SID:Rev is preferred. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-09-27 Research (Sep 27)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 infosec posts (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Alex Kirk (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Eoin Miller (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Nigel Houghton (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 Joel Esler (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 waldo kitty (Sep 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 L0rd Ch0de1m0rt (Sep 29)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-09-27 infosec posts (Sep 28)