sid

The sid keyword uniquely identifies a given Snort rule. This rule option takes in a single argument that is a numeric value that must be unique to the rule.

While not technically required, all Snort rules should have a sid option to be able to quickly identify a rule should it ever generate an alert.

Snort "reserves" sid values 0-999999 because those are used in rules included with the Snort distribution. Therefore users should use for local rules sid values that start at 1000000, incrementing the sid values by one for each additional local rule.

Format:

sid:signature_id;

Example:

sid:44763;

sid:1000001;