Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rule-types: add more rules - v1 #2153

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

jufajardini
Copy link
Contributor

To accompany/ support: OISF/suricata#12184
Sharing this because some of the examples and conclusions seen there are derived from experimentations as seen here.

The purpose of these is to serve as examples of several different types of rules and what their types will be, according to the engine.
This is a draft because:

  • I do think I've introduced redundancy
  • I want to have the raw rule accompanying each check, to make it easier if someone is using this for studies
  • I think the .rules file should be better organized/ documented
  • I'm not sure adding so many checks to this existing test will be well regarded 😅

I tried to also add checks to see what we have #2121 and OISF/suricata#12095 (comment) (to see the differences, so to speak)

Ticket

Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/7031

The idea is to add more examples with different usecases and possibly
some scenarios that cause doubt.

Related to
Task #7031
Added these separately, as they require extra config files.
As the test name still includes `rule-types`, it's still possible to
both batches of tests at once.

Related to
Task #https://redmine.openinfosecfoundation.org/issues/7031
@@ -9,10 +9,18 @@ alert tcp-pkt any any -> any any (msg:"tcp-pkt, anchored content"; content:"abc"
alert tcp any any -> any any (msg:"tcp, no content"; sid:301;)
alert tcp any any -> any any (msg:"tcp, simple content"; content:"abc"; sid:302;)
alert tcp any any -> any any (msg:"tcp, anchored content"; content:"abc"; startswith; sid:303;)
alert tcp !192.168.0.1 any -> any any (msg:"tcp, negated IP address"; sid:304;)
alert tcp !192.168.0.1 any -> any any (msg:"tcp, has negated IP address"; sid:304;)
alert tcp [10.0.0.0/8,!10.10.10.10] any -> [10.0.0.0/8,!10.10.10.10] any (msg:"tcp, has negated IP address"; sid:305;)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we split this test in one test per rule type ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be a good idea, except for cases where we want to see the interaction of keywords and rule types or states.

@@ -0,0 +1,10 @@
1,2520000,ET TOR Known Tor Exit Node Traffic
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a big tests/iprep-12-rule-types/scirius-iprep.list ?

match:
id: 3
type: "ip_only"
- filter:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we do with 2 rules instead of 6 ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

possibly there are likely duplicates here and there, but in many cases what I'm doing is trying to check if variations here and there affect the rule type (or state) in some way, so the volume will likely be inevitable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tests pass These new tests should pass
Development

Successfully merging this pull request may close these issues.

2 participants