[Oisf-devel] placement and SIDs for new rules
Victor Julien
victor at inliniac.net
Fri Dec 7 09:22:57 UTC 2012
On 12/05/2012 06:24 PM, David Mandelberg wrote:
> Hi,
>
> I'm working on some rules that use existing keywords and a new variable.
> I added the variable to suricata.yaml.in:
>
> # Router addresses directly attached to any link that Suricata is
> # listening to.
> LOCAL_LINK_ROUTERS: "[0.0.0.0/0,fe80::/64]"
>
>
> An example rule using the variable is:
>
> alert icmp !$LOCAL_LINK_ROUTERS any -> any any (msg:"SURICATA ICMPv4 unexpected redirect"; ip_proto:1; itype:5; sid:TODO; rev:1;)
What should !0.0.0.0/0 match on? 0.0.0.0/0 is everything, so "not
everything" would be nothing.
>
> My questions are:
>
> Should I create a new file under rules/ to store those rules? Do they
> belong somewhere else like Emerging Threats? If they belong in Suricata,
> what SIDs should I use?
We use this doc about SID allocation. Everything below 2000000 is
reserved to VRT: http://doc.emergingthreats.net/bin/view/Main/SidAllocation
As to where these rules belong, that is an interesting question. Maybe
we distribute them with Suricata at first, then when the set(s)
stabilize we can see if it makes sense to talk to ET about integrating?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list