I'm trying to perform searches and set alarms based on a specific Snort rule ID. I have the rule ID from the Snort sensor, but it doesn't always seem to map to the "Signature ID" in Nitro.
We can take a basic Sourcefire rule: 1:13359:7 ("APP-DETECT failed IMAP login attempt - invalid username/password"). I would have thought this translates to a Signature ID of 1-13359, but that's not the case. It seems to be something like 38-3016359, but the conversion appears random.
Can I get a recommendation on how to translate a Snort rule ID into a Signature ID for my purposes?