[Oisf-devel] placement and SIDs for new rules

Fri Dec 7 21:56:12 UTC 2012

On Fri, 2012-12-07 at 10:22 +0100, Victor Julien wrote:
> On 12/05/2012 06:24 PM, David Mandelberg wrote:
> > Hi,
> > 
> > I'm working on some rules that use existing keywords and a new variable.
> > I added the variable to suricata.yaml.in:
> > 
> >     # Router addresses directly attached to any link that Suricata is
> >     # listening to.
> >     LOCAL_LINK_ROUTERS: "[0.0.0.0/0,fe80::/64]"
> > 
> > 
> > An example rule using the variable is:
> > 
> > alert icmp !$LOCAL_LINK_ROUTERS any -> any any (msg:"SURICATA ICMPv4 unexpected redirect"; ip_proto:1; itype:5; sid:TODO; rev:1;)
> 
> What should !0.0.0.0/0 match on? 0.0.0.0/0 is everything, so "not
> everything" would be nothing.

That's right. I don't think there's a good default value for local
routers in IPv4. I could either pick none and have the rule fire by
default for any icmp redirect, or pick 0.0.0.0/0 and have the rule only
work if the administrator configures LOCAL_LINK_ROUTERS appropriately
for the local site. Note that HOME_NET and EXTERNAL_NET are both
inappropriate defaults because routers on the link(s) local to Suricata
could be either on the upstream/peer/transit side or on the home side of
the link(s). The home routers could also be configured to use addresses
outside of HOME_NET. Please correct me if I'm wrong or missing something
and there is a more appropriate default value for IPv4. Also, I'd be
happy to switch the default to "[fe80::/64]" if you feel that it's
better to be noisy by default in this case.

> > My questions are:
> > 
> > Should I create a new file under rules/ to store those rules? Do they
> > belong somewhere else like Emerging Threats? If they belong in Suricata,
> > what SIDs should I use?
> 
> We use this doc about SID allocation. Everything below 2000000 is
> reserved to VRT: http://doc.emergingthreats.net/bin/view/Main/SidAllocation
> 
> As to where these rules belong, that is an interesting question. Maybe
> we distribute them with Suricata at first, then when the set(s)
> stabilize we can see if it makes sense to talk to ET about integrating?

That makes sense. If they're going into Suricata for now, what range
should I use? These aren't decoder or stream events. Should I edit the
wiki page and take another block out of Suricata Reserved?