Writing signatures for Suricata and other intrusion detection
systems (IDS) is considered by many to be a form of art.
One of the main reasons is that the rule writer needs to start by
examining a network trace to identify patterns that are
representative to a threat/behavior without being too broad (to
avoid false positives) or too narrow (to avoid being escaped at the
first change of a bit in the attack).
But the language used to write signatures is the second reason. It
is not really expressive and doesn't have advanced constructs. As a
result signatures require complex writing to do things that could
appear simple. And there are implicit conventions and structures
that must be followed to guarantee correct integration in the
detection engine.
As you can begin to see, performing matching at 40 Gbps or 100 Gbps
with 60,000 active signatures definitely requires some help from
the rule writer.
In the case of Suricata, there are some embedded features that can
help the user understand when the syntax of the rule is not
correct. But checking the output of the related commands is tedious
work.
