[Oisf-devel] Draft Response to Victor

John Griffith jgriffit at bbn.com
Tue Jun 2 17:38:24 UTC 2015 

OK, then have we got a deal for you.

The bottom line is we are tasked with providing this integration. A goal 
of the project I am on is to distribute rules via TAXII to subscribing 
Suricata hosts, then adding those new rules to the running Suricata 
instance on that host. We would like to do so without disturbing the 
detection engine already running so the instance wouldn't lose any state.

A stated goal of the project is the delivery of the changes we are 
making to the Suricata code base for your review and - if you so 
determine - integration. We intend also to put the STIX/TAXII 
distribution infrastructure source up for public use through some 
yet-to-be determined means - possibly GitHub.

The current design uses a daemon on the Suricata host to receive 
incremental sets of rules from one or more trusted distribution sites. 
The daemon saves these rules to a file, then uses the unix socket 
interface to tell Suricata that new rules are available and where they 
are. Note that only 'NEW' rules will be distributed in this fashion.

The unix socket thread has been modified to accept a new 'append-rules' 
command. This command specifies a path to a file that contains the 'new' 
rules, and we are smoke testing a version that does a 'SIGUSR2' rule 
type update - basically the existing 'ReloadRules' functionality with 
the ability to read an additional specified file. This gives us the 
desired 'external' behavior, but we'd like to go further.

Once this initial version is working, the next thing we'd like to do is 
see if we can insert the new rules into the *existing *detection engine 
without reparsing all the other rules or disturbing their current state. 
The goal would be to get the new rules (and only the new rules) parsed, 
get any associated state initialized, and then insert them into the rule 
list in the running detection engine, pausing it only long enough to 
update the list pointers. We do not want to disturb the state of the 
currently running rules and allow them to continue processing packets & 
flows uninterrupted (or as much so as possible).

If you (or anyone else) have/has any thoughts or comments on this 
approach, we'd appreciate hearing them. We're still pretty flexible at 
this point, but we intend to pretty much finish up implementation this 
month...

John Griffith

On 6/2/2015 4:59 AM, Victor Julien wrote:
> On 05/01/2015 01:35 PM, John Griffith wrote:
>> I'm working on a project that could use Suricata integrated with STIX
>> and TAXII - but I can't find any information other than the announcement
>> last May that such an integration had been completed.
>>
>> Could someone point me in the right direction towards code or a project
>> site?
> Sadly, this code was never contributed. Doesn't look like it will happen
> anymore either.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150602/fd4907f3/attachment-0002.html>

More information about the Oisf-devel mailing list