From 45f14bb97c8ee5eeba2313b66cf213b1f4cdf0d8 Mon Sep 17 00:00:00 2001 From: Jufajardini Reichow Date: Tue, 19 Jul 2022 18:28:19 -0300 Subject: [PATCH] userguide/rules: explain sid uniqueness within gid While Suri will throw an error if two signatures have the same `sid` and no `gid`, or same `sid` and same `gid`, it will just accept same `sid` for different `gid`s. Related to Task #5441 --- doc/userguide/rules/meta.rst | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst index 6b28faab2e..d7d49cc4f7 100644 --- a/doc/userguide/rules/meta.rst +++ b/doc/userguide/rules/meta.rst @@ -38,8 +38,9 @@ signature is emphasized below: sid (signature ID) ------------------ -The keyword sid gives every signature a unique id. -The sid is expressed as a number. The format of sid is:: + +The keyword sid gives every signature its own id. This id is stated with a number +greater than zero. The format of sid is:: sid:123; @@ -58,6 +59,15 @@ Example of sid in a signature: There are reserved ranges of sids, the reservations are recorded at https://sidallocation.org/ . +.. Note:: + + This value must be unique for all rules within the same :ref:`rule group + ` (``gid``). + + As Suricata-update currently considers the rule's ``sid`` only (cf. `Bug#5447 + `_), it is adviseable + to opt for a completely unique ``sid`` altogether. + rev (revision) -------------- The sid keyword is commonly accompanied by the rev keyword. Rev @@ -80,6 +90,8 @@ Example of rev in a signature: is expressed after the sid keyword. The sid and rev keywords are commonly put as the last two keywords in a signature. +.. _gid: + gid (group ID) -------------- The gid keyword can be used to give different groups of @@ -192,4 +204,4 @@ The format is:: If the value is src_ip then the source IP in the generated event (src_ip field in JSON) is the target of the attack. If target is set to dest_ip -then the target is the destination IP in the generated event. \ No newline at end of file +then the target is the destination IP in the generated event.