search

aleksibovellan / opnsense-suricata-nmaps

OPNSense's Suricata IDS/IPS Detection Rules Against NMAP Scans
MIT License
48 stars 4 forks source link

Please consider renumbering your rules #2

Closed jasonish closed 4 weeks ago

jasonish commented 4 months ago

Taking a quick look at your rules I see that you are using the local sid space. Before considering these rules for the Suricata Rule Index (https://github.com/OISF/suricata-intel-index), they should use a unique range.

I could provide you a SID allocation starting at 3400000, with 100000 SIDs? Would that work? That would also get you listed over at https://sidallocation.org.

Thanks.

aleksibovellan commented 4 months ago

Hi @jasonish , sure thing, that would sound great.

So just to confirm, I could use sid numbers starting from 3400000 forwards, with a range of 100000, so for example a rule number 3400001 or 3401001 and so on? No problem in that case, I can edit the existing sid rules to match that, and then continue using the specified range for future rules too I might come up with.

Thanks,

Aleksi

Taking a quick look at your rules I see that you are using the local sid space. Before considering these rules for the Suricata Rule Index (https://github.com/OISF/suricata-intel-index), they should use a unique range.

I could provide you a SID allocation starting at 3400000, with 100000 SIDs? Would that work? That would also get you listed over at https://sidallocation.org.

Thanks.

jasonish commented 4 months ago

3400000

That is correct, and this entry would be added to the SID allocation records if that is OK:

+| 3400000-3499999     | Aleksi Bovellan       | https://github.com/aleksibovellan/opnsense-suricata-nmaps                                            |
aleksibovellan commented 4 months ago

Alright, sounds good @jasonish . I've now edited these rules to match the new "sid quota", and will continue doing so with my future stuff also.

After this change, how can these rules, and possible new rules or edited old ones, get sent to the Suricata Rule Index? Or is the process automatic in some way.

Thanks a lot, and have a nice weekend.

jasonish commented 4 months ago

Alright, sounds good @jasonish . I've now edited these rules to match the new "sid quota", and will continue doing so with my future stuff also.

After this change, how can these rules, and possible new rules or edited old ones, get sent to the Suricata Rule Index? Or is the process automatic in some way.

Thanks a lot, and have a nice weekend.

This process it automatic once I add your rules to the index. Its a direct link to your rule files hosted here on github.

aleksibovellan commented 4 months ago

This process it automatic once I add your rules to the index. Its a direct link to your rule files hosted here on github.

OK, all clear, thanks.