What are the reasonable numbers for new/custom rule ids? (FreeBSD port)

[mobstef]

I am the current maintainer of OSSEC HIDS FreeBSD port.
I would like to distribute some custom rules with the port (v2.9.3) suitable for FreeBSD and based on Linux rule "533" from "ossec_rules.xml". Something like:

<group name="ossec,">

  ...

  <rule id="533" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat -tan</match>
    <check_diff />
    <description>Listened ports status (netstat) changed (new port opened or closed).</description> 
  </rule>

  ...

  <rule id="536" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat -4 -p tcp</match>
    <check_diff />
    <description>Listened IPv4 TCP ports status (netstat) changed (new port opened or closed).</description> 
  </rule>

  <rule id="537" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat -6 -p tcp</match>
    <check_diff />
    <description>Listened IPv6 TCP ports status (netstat) changed (new port opened or closed).</description> 
  </rule>

  <rule id="538" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat -4 -p udp</match>
    <check_diff />
    <description>IPv4 UDP ports status (netstat) changed (new port opened or closed).</description> 
  </rule>

  <rule id="539" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat -6 -p udp</match>
    <check_diff />
    <description>IPv6 UDP ports status (netstat) changed (new port opened or closed).</description> 
  </rule>

  ...

</group>

The questions are:

1. Should the mentioned rules be added to OSSEC or shipped with the port (they will not work in Linux, because the netstat command options differ)?
2. If they should be added to OSSEC then where exactly and with which rule ids?
3. If they should be added to the port then what rule id range is safe to use? Can it be somehow restricted to FreeBSD port?
4. If an OSSEC HIDS user wants to add custom rule what is the safe rule id range that will guarantee no conflicts with future releases?

[ddpbsd]

Do you add the corresponding commands to the ossec.conf as well?
1-2. I don't have a problem with them being added to OSSEC. I have added an openbsd_rules.xml for OpenBSD specific things. We could do the same thing for FreeBSD. rule_ids.txt in the doc directory has a listing of ID ranges (although I'm not positive it's totally up to date). If it is up to date, you could start with 52200 or so.
3-4. We define the following range for users: 100000 - 109999 User defined rules
If you don't want a freebsd_rules.xml or something similar, I'd choose a range in there for your specific rules (109800-109999 or something).

[mobstef]

Thanks for your answer.

The "rule_ids.txt" is indeed outdated. I found the following rule files violating it:
apparmor_rules.xml - ids start at 52000
clam_av_rules.xml - ids start at 52500
nsd_rules.xml - ids start at 53200
opensmtpd_rules.xml - ids start at 53500
owncloud_rules.xml - ids start at 53300
proxmox-ve_rules.xml - ids start at 53400

I thought this through and think it would be better to keep FreeBSD rules with the port. However, I still would like to have some ids reserved for the port. Can this range be 56000-56200? Can it be added to rule_ids.txt (if it still makes sense)?

[ddpbsd]

@mobstef I've updated the file in PR #1372. Thanks for those updates.
I've included the range you asked for to be FreeBSD specific rules. And if you want to contribute them to the project (for anyone running FreeBSD as an agent, but not their OSSEC server), they'll be welcome.