cancel
Showing results for 
Search instead for 
Did you mean: 
rbroom
Level 7
Report Inappropriate Content
Message 1 of 1

Search / Alarm on Snort Rule ID?

I'm trying to perform searches and set alarms based on a specific Snort rule ID.  I have the rule ID from the Snort sensor, but it doesn't always seem to map to the "Signature ID" in Nitro.

We can take a basic Sourcefire rule: 1:13359:7 ("APP-DETECT failed IMAP login attempt - invalid username/password").  I would have thought this translates to a Signature ID of 1-13359, but that's not the case.  It seems to be something like 38-3016359, but the conversion appears random.

Can I get a recommendation on how to translate a Snort rule ID into a Signature ID for my purposes?

Thank you.