[Oisf-devel] placement and SIDs for new rules

Matt Jonkman jonkman at jonkmans.com
Fri Dec 7 13:46:08 UTC 2012 

On Fri, Dec 7, 2012 at 4:22 AM, Victor Julien <victor at inliniac.net> wrote:

>
> >
> > My questions are:
> >
> > Should I create a new file under rules/ to store those rules? Do they
> > belong somewhere else like Emerging Threats? If they belong in Suricata,
> > what SIDs should I use?
>
> We use this doc about SID allocation. Everything below 2000000 is
> reserved to VRT:
> http://doc.emergingthreats.net/bin/view/Main/SidAllocation
>
>
With the exception of the 1 million range. THat's reserved for local rules.
THat's the best place to put rules for local use of course. No chance od a
sid conflict with something you bring in.

ET and ETPRO will be all in the 2 million range. VRT is under 1 million.

We don't note the private range in the sid allocation wiki page. Probably
should just to make things clear. I'll add that today!



> As to where these rules belong, that is an interesting question. Maybe
> we distribute them with Suricata at first, then when the set(s)
> stabilize we can see if it makes sense to talk to ET about integrating?
>
>

ET is always welcoming of rules of use! If they work for you and you can
share please do, we'll take care of them.

Matt


> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>



-- 


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121207/dacd5b29/attachment-0002.html>

More information about the Oisf-devel mailing list