Preferred method for modifying existing SID?

  • I'm wondering what is the preferred method/best practice for modifying an existing SID?

    I see two ways to do it, using the SID MGMT tab, or disabling the existing rule and then copying it's text to a custom rule and modifying it as needed.

    With option two (custom rule) you obviously won't get any updates to your rule should they be pushed down by Sourcefire/ET. With option 1 I assume you would get any potential updates which could break your modifications depending upon what those updates are.

    I went with option two and disabled the existing rule and made a custom rule and it seems to work.

    One reason I didn't modify the existing rule with SID MGMT is that the text in the rule I needed to modify included quotation marks and I wasn't sure if the SID MGMT tab would have problems with embedded quotes. For example my change would look like this:

    10010 "content:"xxx";" "content:!"yyy";"

    Would the SID MGMT properly change the rule? Or do the quotes need to be escaped somehow?

  • The quotes would likely need to be escaped as all that is handled by the regex engine.  You can give it a try with and without quotes to see how it works.

    The way SID MGMT fits into the rule loading chain is thus:

    A large array of rules is created in memory by reading all the enabled categories and their rules from the rules files you download from the vendors.  After all the vendor files are read, the custom rules file is read and any rules in it are added to the aforementioned in-memory array.  Next, the SID MGMT tab code runs to walk that array of rules in memory and modify them according to the instructions in the enablesid.conf, disablesid.conf and modifysid.conf files.  The last piece of code that runs is the piece that processes the manual rule enable/disable changes that the user chose using the little icons beside the SIDs on the RULES and ALERTS tabs.  When all these processes have finished with the array of rules, the contents of the array is then written to a file called snort.rules in the /usr/pbi/snort-amd64/etc/snort/{interface}/rules/ directory.  The {interface} part is a string consisting of a GUID and the physical interface name.  That final file contains the text rules that Snort actually loads and uses to inspect traffic.


  • You could probably double mod it:

    10010 "content:" "content:!"
    10010 "xxx" "yyy"

    But, depending on how many rules you have to mod, I would personnally make a custom rule for your needs and keep the original intact. Who knows, what if the original triggers one day?

Log in to reply