Sid allocation for ruleset I wish to share

New user here, been using suricata on pfsense for a few years now.

Over the last few years, I’ve been working on (o)DoH, more specifically blocking it.

On my GitHub repository, you can find IPlists (v4 & v6), RPZ (response policy zone) file, and the docs, on how to use these lists (on pfsense). To generate these lists, I keep all the collected data in a sqlite3 database (also on GitHub, mainly due to the fact IPlists aren’t very reliable in different regions, giving interested users the option to generate the IPlists for their region).

I noticed generating a suricata rule list from this data is fairly simple (already coded), but the problem, when sharing this ruleset would be the unique sid, required to ensure suricata actually loads the rules (no conflicts).

I already found this sid overview, requested info on how to get a sid assignment, unfortunately, no response…. Got a reply, apparently, the GitHub repository, user @bmurphy was sharing (see below), is a shared initiative with their participation.

Also found this topic on this forum, but it doesn’t help to solve my problem.

Thus, the question, how do I get (or pick) a sid that doesn’t cause conficts.

I already asked this on the pfsense forum (read here - with pictures on how it works)
The list (cleaned up, compared to the example on the netgate forum), partially (currently 548 entries, would look like this (sid needs to change):

reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for adult-filter-dot.dnswarden.com"; dns.query; content:"adult-filter-dot.dnswarden.com"; nocase; fast_pattern; classtype:bad-unknown; sid:1000019; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for a.family.ns.dnslify.com"; dns.query; content:"a.family.ns.dnslify.com"; nocase; fast_pattern; classtype:bad-unknown; sid:1000020; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for ans2.tdnszone.net"; dns.query; content:"ans2.tdnszone.net"; nocase; fast_pattern; classtype:bad-unknown; sid:1000021; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for a.ns.dnslify.com"; dns.query; content:"a.ns.dnslify.com"; nocase; fast_pattern; classtype:bad-unknown; sid:1000022; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for antidns.s.tuna.tsinghua.edu.cn"; dns.query; content:"antidns.s.tuna.tsinghua.edu.cn"; nocase; fast_pattern; classtype:bad-unknown; sid:1000023; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for anycast.censurfridns.dk"; dns.query; content:"anycast.censurfridns.dk"; nocase; fast_pattern; classtype:bad-unknown; sid:1000024; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)

Thanks for your time and effort.

1 Like

Hello! Might be worth taking a peek at GitHub - sidallocation/sidallocation.org: Sid Allocation working group for an effort attempting to help with this issue.

It took almost a month, but the sid allocation has been added, here.

The DOH ruleset is updated daily, depends of course on the existance of new database entries. Interested? read here, suricata section 11, ruleset (with md5) here.