Best Practices for Importing Local Intrusion Rules

Observe the following guidelines when importing a local rule file:

  • The rules importer requires that all custom rules are imported in a plain text file encoded in ASCII or UTF-8.

  • The text file name can include alphanumeric characters, spaces, and no special characters other than underscore (_), period (.), and dash (-).

  • The system imports local rules preceded with a single pound character (#), but they are flagged as deleted.

  • The system imports local rules preceded with a single pound character (#), and does not import local rules preceded with two pound characters (##).

  • Rules cannot contain any escape characters.

  • You do not have to specify a Generator ID (GID) when importing a local rule. If you do, specify only GID 1 for a standard text rule.

  • When importing a rule for the first time, do not specify a Snort ID (SID) or revision number. This avoids collisions with SIDs of other rules, including deleted rules. The system will automatically assign the rule the next available custom rule SID of 1000000 or greater, and a revision number of 1.

    If you must import rules with SIDs, a SID can be any unique number 1,000,000 or greater.

  • When importing an updated version of a local rule you have previously imported, or when reinstating a local rule you have deleted, you must include the SID assigned by the system and a revision number greater than the current revision number. You can determine the revision number for a current or deleted rule by editing the rule.

    Note

    The system automatically increments the revision number when you delete a local rule; this is a device that allows you to reinstate local rules. All deleted local rules are moved from the local rule category to the deleted rule category.

  • Import local rules on the primary management center in a high availability pair to avoid SID numbering issues.

  • The import fails if a rule contains any of the following: .

    • A SID greater than 2147483647.

    • A list of source or destination ports that is longer than 64 characters.

  • Policy validation fails if you enable an imported local rule that uses the deprecated threshold keyword in combination with the intrusion event thresholding feature in an intrusion policy.

  • All imported local rules are automatically saved in the local rule category.

  • The system always sets local rules that you import to the disabled rule state. You must manually set the state of local rules before you can use them in your intrusion policy.