userguide/rules: explain sid uniqueness within gid

While Suri will throw an error if two signatures have the same `sid`
and no `gid`, or same `sid` and same `gid`, it will just accept same
`sid` for different `gid`s.

Related to

Task #5441

diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst
index 6b28faab2e1ee359e790441ef2d7ff6a26235ab8..d7d49cc4f73af5882196d1c0d705544db125f444 100644 (file)
--- a/doc/userguide/rules/meta.rst
+++ b/doc/userguide/rules/meta.rst
@@ -38,8 +38,9 @@ signature is emphasized below:
 
 sid (signature ID)
 ------------------
-The keyword sid gives every signature a unique id.
-The sid is expressed as a number. The format of sid is::
+
+The keyword sid gives every signature its own id. This id is stated with a number
+greater than zero. The format of sid is::
 
   sid:123;
 
@@ -58,6 +59,15 @@ Example of sid in a signature:
    There are reserved ranges of sids, the reservations are recorded
    at https://sidallocation.org/ .
 
+.. Note::
+
+   This value must be unique for all rules within the same :ref:`rule group
+   <gid>` (``gid``).
+
+   As Suricata-update currently considers the rule's ``sid`` only (cf. `Bug#5447
+   <https://redmine.openinfosecfoundation.org/issues/5447>`_), it is adviseable
+   to opt for a completely unique ``sid`` altogether.
+
 rev (revision)
 --------------
 The sid keyword is commonly accompanied by the rev keyword. Rev
@@ -80,6 +90,8 @@ Example of rev in a signature:
     is expressed after the sid keyword. The sid and rev keywords
     are commonly put as the last two keywords in a signature.
 
+.. _gid:
+
 gid (group ID)
 --------------
 The gid keyword can be used to give different groups of
@@ -192,4 +204,4 @@ The format is::
 
 If the value is src_ip then the source IP in the generated event (src_ip
 field in JSON) is the target of the attack. If target is set to dest_ip
-then the target is the destination IP in the generated event.
\ No newline at end of file
+then the target is the destination IP in the generated event.