Sid allocation for ruleset I wish to share

jpgpi250 · November 4, 2022, 8:43am

New user here, been using suricata on pfsense for a few years now.

Over the last few years, I’ve been working on (o)DoH, more specifically blocking it.

On my GitHub repository, you can find IPlists (v4 & v6), RPZ (response policy zone) file, and the docs, on how to use these lists (on pfsense). To generate these lists, I keep all the collected data in a sqlite3 database (also on GitHub, mainly due to the fact IPlists aren’t very reliable in different regions, giving interested users the option to generate the IPlists for their region).

I noticed generating a suricata rule list from this data is fairly simple (already coded), but the problem, when sharing this ruleset would be the unique sid, required to ensure suricata actually loads the rules (no conflicts).

I already found this sid overview, requested info on how to get a sid assignment, ~~unfortunately, no response…~~. Got a reply, apparently, the GitHub repository, user @bmurphy was sharing (see below), is a shared initiative with their participation.

Also found this topic on this forum, but it doesn’t help to solve my problem.

Thus, the question, how do I get (or pick) a sid that doesn’t cause conficts.

I already asked this on the pfsense forum (read here - with pictures on how it works)
The list (cleaned up, compared to the example on the netgate forum), partially (currently 548 entries, would look like this (sid needs to change):

reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for adult-filter-dot.dnswarden.com"; dns.query; content:"adult-filter-dot.dnswarden.com"; nocase; fast_pattern; classtype:bad-unknown; sid:1000019; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for a.family.ns.dnslify.com"; dns.query; content:"a.family.ns.dnslify.com"; nocase; fast_pattern; classtype:bad-unknown; sid:1000020; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for ans2.tdnszone.net"; dns.query; content:"ans2.tdnszone.net"; nocase; fast_pattern; classtype:bad-unknown; sid:1000021; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for a.ns.dnslify.com"; dns.query; content:"a.ns.dnslify.com"; nocase; fast_pattern; classtype:bad-unknown; sid:1000022; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for antidns.s.tuna.tsinghua.edu.cn"; dns.query; content:"antidns.s.tuna.tsinghua.edu.cn"; nocase; fast_pattern; classtype:bad-unknown; sid:1000023; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for anycast.censurfridns.dk"; dns.query; content:"anycast.censurfridns.dk"; nocase; fast_pattern; classtype:bad-unknown; sid:1000024; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, updated_at 2022_11_04;)

Thanks for your time and effort.

bmurphy · November 4, 2022, 12:31pm

Hello! Might be worth taking a peek at GitHub - sidallocation/sidallocation.org: Sid Allocation working group for an effort attempting to help with this issue.

jpgpi250 · December 1, 2022, 9:49am

It took almost a month, but the sid allocation has been added, here.

The DOH ruleset is updated daily, depends of course on the existance of new database entries. Interested? read here, suricata section 11, ruleset (with md5) here.

ish · December 8, 2022, 6:02pm

@jpgpi250 Would you like your ruleset listed in the Suricata rule index?

jpgpi250 · December 8, 2022, 6:25pm

I have no idea what the Suricata rule index is, and if the rules are valuable enough to be listed. The rules assume a (o)DoH client tries to resolve the configured (o)DoH domain name, using a standard (port 53) query, on which suricata will act (reject).

What are the consequences of being listed? Does this imply the rules are available to everybody, free of charge, as they are now (GitHub)?

Keep in mind I generate these rules daily on a raspberry pi, totally dependent on the maintainers of the source lists (see the doc) to keep them available and update them, I’m just consolidating and formatting the results…

ish · December 8, 2022, 6:32pm

This adds your ruleset to suricata-intel-index/index.yaml at master · OISF/suricata-intel-index · GitHub.

It then becomes available with the commands:

suricata-update list-sources

and

suricata-update enable-source jpgpi250/doh

or something like that. Just pre-configures to easily add your ruleset to suricata-update for users.

jpgpi250 · December 8, 2022, 7:08pm

Fine by me, may be useful to some people (I didn’t even know this command - noob)

Be aware I’m using suricata on pfsense, on pfsense 2.6.0 the latest available suricata version is 6.0.4, I don’t think the rules need changing for 6.0.9, as indicated in the yalm.

some fields I can provide:

summary: DNS over HTTPS domains
description: |
  Reject DNS queries for known DoH domains, using port 53
  Assuming the DoH client(s) initially use regular DNS queries, to obtain the DoH server IP address.
vendor: jpgpi250
license: 
support-url: https://github.com/jpgpi250/piholemanual/issues
url: https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOH/DOH.rules
min-version:
checksum: true

No idea what license and min-version is appropriate here.

ish · December 8, 2022, 7:16pm

You should likely choose a license and put it on top of your rule files. Arguably data without a license is not free for anyone to use - opinions vary on this. See the top of any Emerging Threats rule file and you’ll file the BSD license: https://rules.emergingthreats.net/open/suricata-5.0/rules/ciarmy.rules

For min-version we’ll use 6 as thats what you are testing on. We do need a license choice however, so users of your ruleset know if they are actually allowed to use it or not.

jpgpi250 · December 8, 2022, 7:40pm

license: Non-Commercial

Added the following to the rules (~~will appear tomorrow~~ updated now)

# Terms of Services (ToS)
# By using this dataset, you agree that:"
#   The dataset can be used for both, commercial and non-commercial purpose without any limitations (CC0 - No Rights Reserved)"
#   Data offered is served as it is on best effort"
#   I (jpgpi250) can not be held liable for any false positive or damage caused by the use of the datasets offered."

as seen here (bottom of page).

jpgpi250 · December 14, 2022, 2:27pm

PR created here.

sid allocation range increased, due to massive amount of new entries during the last week. Better safe than sorry…

jpgpi250 · January 8, 2023, 12:13pm

something wrong with the PR?

Topic		Replies	Views
Inclusion of Suricata IPS and rules over LAN in pfsense firewall Help ips , rules , suricata	1	65	October 21, 2024
Suricata default rules Rules	3	2746	May 21, 2021
Deleted rules still being added Help	2	813	February 26, 2021
Rules added to the rule file do not automatically apply to the suricata interface Rules rules , suricata	1	581	December 6, 2023
Suricata on pfSense blocking IPs on Pass List Help pfsense	16	7543	January 14, 2022

Sid allocation for ruleset I wish to share

Related topics