[Oisf-users] Modifying existing Rules

Jason Ish lists at unx.ca
Wed Apr 29 16:13:50 UTC 2015

On Tue, Apr 28, 2015 at 4:16 PM, James Moe <jimoe at sohnen-moe.com> wrote:
> Hash: SHA1
> Hello,
>   linux 3.16.7-21-desktop x86_64
>   suricata 2.0.7
>   The initial test runs have shown that some hosts generate false
> positives for certain rules. My plan is to disable those and add a
> modified version in <local.rules>.

First, I'd see if a few pass rules could do the job here:

>   My question is about the Signature ID.
> - - Should the same sid be used?
> - - Is there a convention for modified rule signatures?
> - - Is there a convention for user-created rule signatures?

I'm not aware of any conventions, but I'd develop a process that works
for you and then be consistent.

Personally if I'm just modifying parts of the rule that won't affect
the content matching, I'll use the same SID.  If I'm altering the
function of the rule I'll use a new SID.  Even when assigning a new
SID, it handy to track the original SID, either as a comment, or
perhaps as rule metadata - you can then use custom tooling to find the
original rule again and see if it has received updates.


More information about the Oisf-users mailing list