diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst index 6b28faab2e..d7d49cc4f7 100644 --- a/doc/userguide/rules/meta.rst +++ b/doc/userguide/rules/meta.rst @@ -38,8 +38,9 @@ signature is emphasized below: sid (signature ID) ------------------ -The keyword sid gives every signature a unique id. -The sid is expressed as a number. The format of sid is:: + +The keyword sid gives every signature its own id. This id is stated with a number +greater than zero. The format of sid is:: sid:123; @@ -58,6 +59,15 @@ Example of sid in a signature: There are reserved ranges of sids, the reservations are recorded at https://sidallocation.org/ . +.. Note:: + + This value must be unique for all rules within the same :ref:`rule group + ` (``gid``). + + As Suricata-update currently considers the rule's ``sid`` only (cf. `Bug#5447 + `_), it is adviseable + to opt for a completely unique ``sid`` altogether. + rev (revision) -------------- The sid keyword is commonly accompanied by the rev keyword. Rev @@ -80,6 +90,8 @@ Example of rev in a signature: is expressed after the sid keyword. The sid and rev keywords are commonly put as the last two keywords in a signature. +.. _gid: + gid (group ID) -------------- The gid keyword can be used to give different groups of @@ -192,4 +204,4 @@ The format is:: If the value is src_ip then the source IP in the generated event (src_ip field in JSON) is the target of the attack. If target is set to dest_ip -then the target is the destination IP in the generated event. \ No newline at end of file +then the target is the destination IP in the generated event.