[Oisf-devel] placement and SIDs for new rules

Victor Julien victor at inliniac.net
Fri Dec 14 09:58:46 UTC 2012 

On 12/07/2012 10:56 PM, David Mandelberg wrote:
> On Fri, 2012-12-07 at 10:22 +0100, Victor Julien wrote:
>> > On 12/05/2012 06:24 PM, David Mandelberg wrote:
>>> > > Hi,
>>> > > 
>>> > > I'm working on some rules that use existing keywords and a new variable.
>>> > > I added the variable to suricata.yaml.in:
>>> > > 
>>> > >     # Router addresses directly attached to any link that Suricata is
>>> > >     # listening to.
>>> > >     LOCAL_LINK_ROUTERS: "[0.0.0.0/0,fe80::/64]"
>>> > > 
>>> > > 
>>> > > An example rule using the variable is:
>>> > > 
>>> > > alert icmp !$LOCAL_LINK_ROUTERS any -> any any (msg:"SURICATA ICMPv4 unexpected redirect"; ip_proto:1; itype:5; sid:TODO; rev:1;)
>> > 
>> > What should !0.0.0.0/0 match on? 0.0.0.0/0 is everything, so "not
>> > everything" would be nothing.
> That's right. I don't think there's a good default value for local
> routers in IPv4. I could either pick none and have the rule fire by
> default for any icmp redirect, or pick 0.0.0.0/0 and have the rule only
> work if the administrator configures LOCAL_LINK_ROUTERS appropriately
> for the local site. Note that HOME_NET and EXTERNAL_NET are both
> inappropriate defaults because routers on the link(s) local to Suricata
> could be either on the upstream/peer/transit side or on the home side of
> the link(s). The home routers could also be configured to use addresses
> outside of HOME_NET. Please correct me if I'm wrong or missing something
> and there is a more appropriate default value for IPv4. Also, I'd be
> happy to switch the default to "[fe80::/64]" if you feel that it's
> better to be noisy by default in this case.
> 

I think a new variable would be fine for it. The problem with

  LOCAL_LINK_ROUTERS: "[0.0.0.0/0,fe80::/64]"

followed by

  alert icmp !$LOCAL_LINK_ROUTERS...

Is that you're actually negating the entire ipv4 address space. So this
will never ever match anything ipv4.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list