From patchwork Mon Feb 9 14:23:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 9494 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4f8n741YY0z3wpn for ; Mon, 09 Feb 2026 14:26:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4f8n736x2xz5gn for ; Mon, 09 Feb 2026 14:26:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4f8n700mthz33t5 for ; Mon, 09 Feb 2026 14:26:04 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4f8n6w744fz2xdr for ; Mon, 09 Feb 2026 14:26:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4f8n6v2Tvgzvw; Mon, 09 Feb 2026 14:25:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1770647159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=cZWh7dC1f2f/mhSWlqObCFveASKT8V+yOrOWswsA8bQ=; b=pJVfxMgoCseyHD4NQG3GybyRXdy1A27jcOG0Lqv8Ck4V+Mbq80OMfeQPqUQ535i2DuBc9a iVlpOmm4VgHiXjAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1770647159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=cZWh7dC1f2f/mhSWlqObCFveASKT8V+yOrOWswsA8bQ=; b=rHBRMbbN3sXCqM97nw8EY+H0Qh51pm2oXHdXbv2iffLf8NNUBemd9yZI84qbr8IkX+xRK0 WoFguAoHL97A+xQ23b/C6bvq+PoiGfqS8c8zb/4/EQb3ZlMgWN36YEdxjHjgBSSv43wzly HvMxS5B+0d3A92PapKsNh8hn278whLQXNvEG9aSGXxdR7w/GqME8hakWsiorypsw9Aurxi hYL9VF+19E8+cH3nzcR+PyuYXEUo3Uf3fXnEVqLxvv+rsVz0Wl87okhst4mEwwJamEVulr 1qcUGiK9rfi2itF/iIUWul+7T80si1oC6XWVaKYm0/RlnveWqwQj8l2ng5rDXQ== From: Stefan Schantl To: development@lists.ipfire.org Cc: Stefan Schantl Subject: [PATCH 1/4] ruleset-sources: Add details about rule sid and info URL Date: Mon, 9 Feb 2026 15:23:19 +0100 Message-ID: <20260209142322.2481-1-stefan.schantl@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Stefan Schantl --- config/suricata/ruleset-sources | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources index af65648af..5b9073d85 100644 --- a/config/suricata/ruleset-sources +++ b/config/suricata/ruleset-sources @@ -13,6 +13,8 @@ package IDS::Ruleset; # requires_subscription => "True/False" - If some kind of registration code is required in order to download the ruleset. # dl_url => The download URL to grab the ruleset. # dl_type => "archive/plain" - To specify, if the downloaded file is a packed archive or a plain text file. +# sid_range => The sid range which the provider uses for it's rules, specified as an array. "[start sid, stop sid]" +# sid_info_url => An URL which provides additional information about a rule based on it's sid. # }, # Hash which contains the supported ruleset providers. @@ -25,6 +27,8 @@ our %Providers = ( requires_subscription => "True", dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=", dl_type => "archive", + sid_range => ["1", "1000000"], + sid_info_url => "https://www.snort.org/rule_docs/1-", }, # Ruleset for registered sourcefire users with a valid subscription. @@ -35,6 +39,8 @@ our %Providers = ( requires_subscription => "True", dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=", dl_type => "archive", + sid_range => ["1", "1000000"], + sid_info_url => "https://www.snort.org/rule_docs/1-", }, # Community rules from sourcefire. @@ -45,6 +51,8 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://www.snort.org/downloads/community/community-rules.tar.gz", dl_type => "archive", + sid_range => ["1", "1000000"], + sid_info_url => "https://www.snort.org/rule_docs/1-", }, # Emerging threats community rules. @@ -55,6 +63,8 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz", dl_type => "archive", + sid_range => ["2000000", "2999999"], + sid_info_url => "https://threatintel.proofpoint.com/sid/", }, # Emerging threats Pro rules. @@ -65,6 +75,8 @@ our %Providers = ( requires_subscription => "True", dl_url => "https://rules.emergingthreatspro.com//suricata-5.0/etpro.rules.tar.gz", dl_type => "archive", + sid_range => ["2000000", "2999999"], + sid_info_url => "https://threatintel.proofpoint.com/sid/", }, # Abuse.ch SSLBL Blacklist rules. @@ -72,6 +84,7 @@ our %Providers = ( summary => "Abuse.ch SSLBL Blacklist Rules", website => "https://sslbl.abuse.ch/", tr_string => "sslbl blacklist rules", + sid_range => ["902200000", "902299999"], }, # Etnetera Aggressive Blacklist. @@ -82,6 +95,7 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://security.etnetera.cz/feeds/etn_aggressive.rules", dl_type => "plain", + sid_range => ["500000", "599999"], }, # OISF Traffic ID rules. @@ -92,6 +106,7 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://openinfosecfoundation.org/rules/trafficid/trafficid.rules", dl_type => "plain", + sid_range => ["300000000", "301000000"], }, # Positive Technologies Attack Detection Team rules. @@ -99,6 +114,7 @@ our %Providers = ( summary => "PT Attack Detection Team Rules", website => "https://github.com/ptresearch/AttackDetection", tr_string => "attack detection team rules", + sid_range => ["10000000", "11999999"], }, # Secureworks Security rules. @@ -130,6 +146,7 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://threatfox.abuse.ch/downloads/threatfox_suricata.rules", dl_type => "plain", + sid_range => ["91000000", "91999999"], }, # Travis B. Green hunting rules. @@ -140,6 +157,7 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules", dl_type => "plain", + sid_range => ["2610000", "2619999"], }, ipfire_dbl => { @@ -149,5 +167,6 @@ our %Providers = ( requires_subscription => "False", dl_url => "https://dbl.ipfire.org/lists/suricata.tar.gz", dl_type => "archive", + sid_range => ["406000000", "406999999"], }, );