Hello,
I would like to know the meaning of the first digit in enablesid.conf. For instance, for a Snort rule of:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; rev:4;)
The sid would be 678. On the other hand, enablesid.conf has examples like:
'1:1034,1:9837'
1034 would be the sid, but what does the '1:' stands for ?
I'm starting with pulledpork and I already have a set of enabled rules that I want PP to work with. So far, the only way of doing that is to port all those enabled rules into PP's enablesid.conf. Or, is there a utility to do that ?
Thanks !