VRT/ET/Local rule look-ups by assigned sid range. #138
Comments
if signature.sig_sid <= 1000000
+ @signature_url = if Setting.vrt_signature_lookup?
+ Setting.find(:vrt_signature_lookup)
+ else
+ VRT_SIGNATURE_URL
+ end
+ elsif (signature.sig_sid > 1000000) && (signature.sig_sid < 2000000)
+ @signature_url = if Setting.local_signature_lookup?
+ Setting.find(:local_signature_lookup)
+ else
+ LOCAL_SIGNATURE_URL
+ end
+ elsif (signature.sig_sid >= 2000000) && (signature.sig_sid < 3000000)
+ @signature_url = if Setting.et_signature_lookup?
+ Setting.find(:et_signature_lookup)
+ elseSignature SIDS dont really have a dedicated range and this is just best guessing. SIDs are generally a mess. |
|
According to the snort manual there is a dedicated range http://manual.snort.org/node30.html#keyword_sid . Although this specifies that sids > 1000000 are for local use. While this might be the "official" stance, the reality of the situation is that there are a lot of ET users. Or perhaps there are VRT users that cherry pick sigs from the ET rule set. Maybe the best course of action is to allow users to simply specify non-overlapping ranges and then define a lookup source per range, something similar to the ip lookup sources. Thoughts? |
|
Will has a good idea, possibly allow regex match to msg field. Given the
|
Can we have a rule look-ups become rule range aware? Something like the following(git patch)?
http://pastebin.com/EhVttJ3G
Please excuse the pastebin, but annoyingly github does not allow you to attach files to issues. Also please excuse the code if it is crap, I've never written anything in ruby before.
The text was updated successfully, but these errors were encountered: