[Oisf-devel] placement and SIDs for new rules
David Mandelberg
dmandelb at bbn.com
Wed Dec 5 17:24:41 UTC 2012
Hi,
I'm working on some rules that use existing keywords and a new variable.
I added the variable to suricata.yaml.in:
# Router addresses directly attached to any link that Suricata is
# listening to.
LOCAL_LINK_ROUTERS: "[0.0.0.0/0,fe80::/64]"
An example rule using the variable is:
alert icmp !$LOCAL_LINK_ROUTERS any -> any any (msg:"SURICATA ICMPv4 unexpected redirect"; ip_proto:1; itype:5; sid:TODO; rev:1;)
My questions are:
Should I create a new file under rules/ to store those rules? Do they
belong somewhere else like Emerging Threats? If they belong in Suricata,
what SIDs should I use?
More information about the Oisf-devel
mailing list