<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>At SuriCon this year there was a talk [1] that covered "Better
Enhanced Teleological and Taxonomic Embedded Rules Schema"
(BETTER) [2], a schema and standard for embedding metadata in
Suricata Rules. It includes a "priority" key with finite values
"high", "medium", "low", "info", and "research" [3].<br>
<br>
I know Secureworks [4] has an "enhanced" BETTER Suricata ruleset
where the BETTER standard has been applied comprehensively and
consistently on all rules, including having the "priority"
metadata key set on every rule. I am not aware of other ruleset
vendors who have adopted the BETTER standard yet.<br>
<br>
Taking a quick look with Aristotle [5] at the latest Emerging
Threats ruleset, I see less than 27% of the rules with the
"signature_severity" metadata keyword:<br>
<br>
<img src="cid:part1.FABE5602.8602807E@davidwharton.us" alt=""><br>
<br>
If Emerging Threats is your ruleset provider, I would encourage
you to encourage them to adopt the BETTER standard for their rules
and apply it consistently and comprehensively to their ruleset.<br>
<br>
-David Wharton<br>
<br>
1. <a class="moz-txt-link-freetext" href="https://youtu.be/6zhwohKQZos">https://youtu.be/6zhwohKQZos</a>
<a class="moz-txt-link-freetext" href="https://suricon.net/wp-content/uploads/2019/11/SURICON2019_Suricata-Rule-Taxonomy_-A-Modest-Teleological-Approach.pdf">https://suricon.net/wp-content/uploads/2019/11/SURICON2019_Suricata-Rule-Taxonomy_-A-Modest-Teleological-Approach.pdf</a><br>
2. <a class="moz-txt-link-freetext" href="https://better-schema.readthedocs.io/">https://better-schema.readthedocs.io/</a><br>
3.
<a class="moz-txt-link-freetext" href="https://better-schema.readthedocs.io/en/latest/appendices.html#appendixb">https://better-schema.readthedocs.io/en/latest/appendices.html#appendixb</a><br>
4. I am a Secureworks employee; my personal views are mine alone
and do not reflect Secureworks’ views or represent an official
company position.<br>
5. <a class="moz-txt-link-freetext" href="https://github.com/secureworks/aristotle/">https://github.com/secureworks/aristotle/</a><br>
<br>
</p>
<div class="moz-cite-prefix">On 1/30/20 2:14 PM, Francis Trudeau
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAHutuHvhnhupqZvJfE0Z7=u=tfkAqweR40MY92RUBj3aVuEzsA@mail.gmail.com">
<pre class="moz-quote-pre" wrap="">The 'signature_severity' stuff is part of the metadata, which is free
form, but most of the time it's a key value pair:
<a class="moz-txt-link-freetext" href="https://suricata.readthedocs.io/en/latest/rules/meta.html#metadata">https://suricata.readthedocs.io/en/latest/rules/meta.html#metadata</a>
So signature_severity isn't an official keyword but rather extra
information that Emerging Threats (who made the rules you are looking
at) added to help classify the rule. The reason other rules might not
have that is because they were made before the metadata was added by
default by them.
On Wed, Jan 29, 2020 at 11:17 PM Star <a class="moz-txt-link-rfc2396E" href="mailto:huzhenming36@gmail.com"><huzhenming36@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Happy new year, thanks for reply
I have another question
How many severity levels does this rule define?
Some rules have severity and some do not. Is this not a uniform standard?
Thank You
Andreas Herz <a class="moz-txt-link-rfc2396E" href="mailto:aherz@oisf.net"><aherz@oisf.net></a> 于2020年1月21日周二 上午3:50写道:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
On 19/01/20 at 17:36, Star wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> What does the signature_severity Major in the suricata default rule
mean?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
That is just a classification of the severity by the rule writer.
This is on a lot of rules so depends mainly on the context.
--
Andreas Herz
_______________________________________________
Suricata IDS Devel mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Participate: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/participate/">http://suricata-ids.org/participate/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
Redmine: <a class="moz-txt-link-freetext" href="https://redmine.openinfosecfoundation.org/">https://redmine.openinfosecfoundation.org/</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Suricata IDS Devel mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Participate: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/participate/">http://suricata-ids.org/participate/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
Redmine: <a class="moz-txt-link-freetext" href="https://redmine.openinfosecfoundation.org/">https://redmine.openinfosecfoundation.org/</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Suricata IDS Devel mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Participate: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/participate/">http://suricata-ids.org/participate/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a>
Redmine: <a class="moz-txt-link-freetext" href="https://redmine.openinfosecfoundation.org/">https://redmine.openinfosecfoundation.org/</a>
</pre>
</blockquote>
</body>
</html>