@ -38,8 +38,9 @@ signature is emphasized below:
sid (signature ID)
------------------
The keyword sid gives every signature a unique id.
The sid is expressed as a number. The format of sid is::
The keyword sid gives every signature its own id. This id is stated with a number
greater than zero. The format of sid is::
sid:123;
@ -58,6 +59,15 @@ Example of sid in a signature:
There are reserved ranges of sids, the reservations are recorded
at https://sidallocation.org/ .
.. Note ::
This value must be unique for all rules within the same :ref:`rule group
<gid>` (` `gid`
As Suricata-update currently considers the rule's `` sid `` only (cf. `Bug#5447
<https://redmine.openinfosecfoundation.org/issues/5447>`_), it is adviseable
to opt for a completely unique `` sid `` altogether.
rev (revision)
--------------
The sid keyword is commonly accompanied by the rev keyword. Rev
@ -80,6 +90,8 @@ Example of rev in a signature:
is expressed after the sid keyword. The sid and rev keywords
are commonly put as the last two keywords in a signature.
.. _gid:
gid (group ID)
--------------
The gid keyword can be used to give different groups of
@ -192,4 +204,4 @@ The format is::
If the value is src_ip then the source IP in the generated event (src_ip
field in JSON) is the target of the attack. If target is set to dest_ip
then the target is the destination IP in the generated event.
then the target is the destination IP in the generated event.
Jufajardini Reichow
3 years ago
committed by
Victor Julien