gid
The gid
keyword stands for "generator id" and it identifies the specific part of Snort that generated a given event. The different parts include, but are not limited to, standard text rules, shared object rules, and builtin rules, and each have part their own generator ID. Standard text rules, for example, are identified with as GID 1, shared object rules are identified with GID 3, and builtin rules are identified with gids over 100.
The GIDs included within Snort can be listed with the following command:
$ snort --list-gids
It's important to note that the gid
keyword is optional, and if it is not specified in a rule, then it will default to 1 and the rule will be part of the standard rule subsystem.
Format:
gid:generator_id;
Examples:
# sets the rule's generator ID to 1 to tell Snort it's a standard text rule
gid:1;
# sets the rule's generator ID to 3 to tell Snort it's a shared object rule
gid:3;