I am currently configuring rules for our Suricata implementation, and have found that due to the high volume of rules created our organization for finding these rules is getting hectic. We came up with a plan for properly organizing the rules which includes adding the SID to the alert message for swift location. However, I was unaware if multiple messages were allocated or if it had to be inserted into the main alert title, for example:
alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +…)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .USA.[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
would it be possible to have this same alert with the SID as a separate message such as:
alert tcp $HOME_NET any → $EXTERNAL_NET any (*msg:”ET TROJAN Likely Bot Nick in IRC (USA +…)”; msg:“sid:2008124”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .USA.[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)