rule-types: add more rules - v1 #2153
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The idea is to add more examples with different usecases and possibly some scenarios that cause doubt. Related to Task #7031
Added these separately, as they require extra config files. As the test name still includes `rule-types`, it's still possible to both batches of tests at once. Related to Task #https://redmine.openinfosecfoundation.org/issues/7031
catenacyber
reviewed
Dec 10, 2024
| @@ -9,10 +9,18 @@ alert tcp-pkt any any -> any any (msg:"tcp-pkt, anchored content"; content:"abc" | |||
| alert tcp any any -> any any (msg:"tcp, no content"; sid:301;) | |||
| alert tcp any any -> any any (msg:"tcp, simple content"; content:"abc"; sid:302;) | |||
| alert tcp any any -> any any (msg:"tcp, anchored content"; content:"abc"; startswith; sid:303;) | |||
| alert tcp !192.168.0.1 any -> any any (msg:"tcp, negated IP address"; sid:304;) | |||
| alert tcp !192.168.0.1 any -> any any (msg:"tcp, has negated IP address"; sid:304;) | |||
| alert tcp [10.0.0.0/8,!10.10.10.10] any -> [10.0.0.0/8,!10.10.10.10] any (msg:"tcp, has negated IP address"; sid:305;) | |||
There was a problem hiding this comment.
Should we split this test in one test per rule type ?
catenacyber
reviewed
Dec 10, 2024
| @@ -0,0 +1,10 @@ | |||
| 1,2520000,ET TOR Known Tor Exit Node Traffic | |||
There was a problem hiding this comment.
Do we need a big tests/iprep-12-rule-types/scirius-iprep.list ?
catenacyber
reviewed
Dec 10, 2024
| match: | ||
| id: 3 | ||
| type: "ip_only" | ||
| - filter: |
There was a problem hiding this comment.
Could we do with 2 rules instead of 6 ?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To accompany/ support: OISF/suricata#12184
Sharing this because some of the examples and conclusions seen there are derived from experimentations as seen here.
The purpose of these is to serve as examples of several different types of rules and what their types will be, according to the engine.
This is a draft because:
rawrule accompanying each check, to make it easier if someone is using this for studies.rulesfile should be better organized/ documentedI tried to also add checks to see what we have #2121 and OISF/suricata#12095 (comment) (to see the differences, so to speak)
Ticket
Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/7031