Suricata

Problem Statement¶

The artisanal nature of rule creation often leads to variation in how a common detection logic is crafted.

For example: #3494 suggests a keyword for "is_ip" instead of the commonly used http.host; pcre:"/^?:\d{1,3}\.){3}.\d{1,3}$/";

The lack of a standardized way of a PCRE for an IP address (in this case an IPv4 address) leads to many variations that make it hard to programmatically find all the variations.

There are many examples of this within the ET ruleset, from detecting "terse" requests, ensuring the request_body is a base64 encoded string, ip address detection, uuid detection, etc.

Feature Request¶

Allow for a definition of a "rule macro" that can be referenced by rules within their own detection logic.

Feature Example¶

macro definitions

define ipv4_address: pcre:"/^?:\d{1,3}\.){3}.\d{1,3}$/";
define terse_headers: http.header_names; content:!"|0d 0a|Accept"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Cache-"; content:!"|0d 0a|Pragma"; content:!"|0d 0a|Referer|0d 0a|"; 

use within a rule

alert http any any -> any any (msg:"IPv4 in HTTP Host"; flow:established,to_server; http.host; include:ipv4_address; sid:1;)
alert http any any -> any any (msg:"Terse Request to Pastebin"; flow:established,to_server; http.host; content:"pastebin.com"; http.header_names; include:terse_headers; sid:2;)

Unknowns¶

I'm not sure how/where is best to define the "macros", they are likely to be unique to a ruleset, so some method to ship with them with the rules would be good.

In the above examples, maybe an optional "file" argument to the "include" keyword with a relative file path to the rule file being loaded?