[Oisf-devel] placement and SIDs for new rules
David Mandelberg
dmandelb at bbn.com
Wed Dec 19 22:48:26 UTC 2012
On Fri, 2012-12-14 at 10:58 +0100, Victor Julien wrote:
> I think a new variable would be fine for it. The problem with
>
> LOCAL_LINK_ROUTERS: "[0.0.0.0/0,fe80::/64]"
>
> followed by
>
> alert icmp !$LOCAL_LINK_ROUTERS...
>
> Is that you're actually negating the entire ipv4 address space. So this
> will never ever match anything ipv4.
Yes, that's the intent. The only other option I see is for the rule to
be noisy by default. If the person who sets Suricata up wants the rule
to work, they can edit LOCAL_LINK_ROUTERS as appropriate for their site.
More information about the Oisf-devel
mailing list