From: Jufajardini Reichow Date: Tue, 19 Jul 2022 21:28:19 +0000 (-0300) Subject: userguide/rules: explain sid uniqueness within gid X-Git-Tag: suricata-7.0.0-beta1~344 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45f14bb97c8ee5eeba2313b66cf213b1f4cdf0d8;p=thirdparty%2Fsuricata.git userguide/rules: explain sid uniqueness within gid While Suri will throw an error if two signatures have the same `sid` and no `gid`, or same `sid` and same `gid`, it will just accept same `sid` for different `gid`s. Related to Task #5441 --- diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst index 6b28faab2e..d7d49cc4f7 100644 --- a/doc/userguide/rules/meta.rst +++ b/doc/userguide/rules/meta.rst @@ -38,8 +38,9 @@ signature is emphasized below: sid (signature ID) ------------------ -The keyword sid gives every signature a unique id. -The sid is expressed as a number. The format of sid is:: + +The keyword sid gives every signature its own id. This id is stated with a number +greater than zero. The format of sid is:: sid:123; @@ -58,6 +59,15 @@ Example of sid in a signature: There are reserved ranges of sids, the reservations are recorded at https://sidallocation.org/ . +.. Note:: + + This value must be unique for all rules within the same :ref:`rule group + ` (``gid``). + + As Suricata-update currently considers the rule's ``sid`` only (cf. `Bug#5447 + `_), it is adviseable + to opt for a completely unique ``sid`` altogether. + rev (revision) -------------- The sid keyword is commonly accompanied by the rev keyword. Rev @@ -80,6 +90,8 @@ Example of rev in a signature: is expressed after the sid keyword. The sid and rev keywords are commonly put as the last two keywords in a signature. +.. _gid: + gid (group ID) -------------- The gid keyword can be used to give different groups of @@ -192,4 +204,4 @@ The format is:: If the value is src_ip then the source IP in the generated event (src_ip field in JSON) is the target of the attack. If target is set to dest_ip -then the target is the destination IP in the generated event. \ No newline at end of file +then the target is the destination IP in the generated event.