, Reference information

Hello, I’m new to the Suricata world, and I keep seeing ET rules with references to the subdomain doc, however, this subdomain doesn’t resolve. Where can I find more information on specific SIDs that are in the Emerging Threats Open SID range: 2000000-2103999?

1 Like

Hi @Oppressed1192 , thanks for joining. Unfortunately, that’s a reference to our retired & deprecated documentation site. It contained previous rule revisions rather than truly being a ‘reference’ to how and why a rule was written. There were no reference URLs or hashes in order to provide context. There are about 5K active rules which contain those outdated references and we’re working to programmatically remove them and hope to have a solution soon.

Is there a specific rule you had questions about?

1 Like

Thank you for the quick reply, I was hoping for more documentation on the whole, but if I had specific questions on certain SIDs I see I can post them here in the future.

Excellent news about the updating process to rules with outdated references. Thanks for your time.

1 Like

Has this been fixed? I am currently using the T-POT honeypot tool and it uses your IDS. ALL the event ids point to that old doc site. Is there an alternate page we can view until you fix it? Seems kind of confusing to just stop the site before you have figured out a work around with no warnings or something from the old link to tell us you are “thinking” about a solution.

The in-line metadata references were removed from the ruleset earlier this year. The site’s retirement was mandated due to lack of use shown by our monitoring and the overall status of its supporting infrastructure. If you have a question about a specific rule, please feel free to share here.

Is tpot running updated rules in your case?

Just wanted to add to this, in TPOT you can see when your rules last updated by checking the timestamp on the rules file in the docker container. At least on the latest version of TPOT this is how you can verify:

  1. Confirm where the rules file is stored within the Docker Container by looking for the default-rule-path in /opt/tpot/docker/suricata/dist/suricata.yaml
. . .
default-rule-path: /var/lib/suricata/rules
 - suricata.rules
. . .
  1. Run this command to check the timestamp (Replace the directory to match what is in your suricata.yaml if needed).
sudo docker exec -it  suricata ls -l /var/lib/suricata/rules

-rwxr-xr-x    1 root     root          3228 Mar 18 04:14 classification.config
-rw-r--r--    1 root     root      55762179 Mar 18 04:14 suricata.rules

The suricata container will update rules on reload which happens every 24 hours so if reloads aren’t occurring that could also be your issue with seeing outdated rules.

1 Like