<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Dec 7, 2012 at 4:22 AM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br></div><div class="im">
><br>
> My questions are:<br>
><br>
> Should I create a new file under rules/ to store those rules? Do they<br>
> belong somewhere else like Emerging Threats? If they belong in Suricata,<br>
> what SIDs should I use?<br>
<br>
</div>We use this doc about SID allocation. Everything below 2000000 is<br>
reserved to VRT: <a href="http://doc.emergingthreats.net/bin/view/Main/SidAllocation" target="_blank">http://doc.emergingthreats.net/bin/view/Main/SidAllocation</a><br>
<br></blockquote><div><br></div><div>With the exception of the 1 million range. THat's reserved for local rules. THat's the best place to put rules for local use of course. No chance od a sid conflict with something you bring in. </div>
<div><br></div><div>ET and ETPRO will be all in the 2 million range. VRT is under 1 million. </div><div><br></div><div>We don't note the private range in the sid allocation wiki page. Probably should just to make things clear. I'll add that today!</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
As to where these rules belong, that is an interesting question. Maybe<br>
we distribute them with Suricata at first, then when the set(s)<br>
stabilize we can see if it makes sense to talk to ET about integrating?<br>
<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div><br></div><div>ET is always welcoming of rules of use! If they work for you and you can share please do, we'll take care of them. </div>
<div><br></div><div>Matt</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="HOEnZb"><font color="#888888">
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><br><br>----------------------------------------------------<br>Matt Jonkman<br>Emerging Threats Pro<br>Open Information Security Foundation (OISF)<br>
Phone 866-504-2523 x110<br><a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br><a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>
----------------------------------------------------<br>
</div>