GitLab

We need to publicly document our rule review process in the rule development howto. The document should be written to be read by rule authors as well as rule set administrators/reviewers. It should describe both common pitfalls in rule authorship, as well as potential vectors for malicious rules, and examples of each.

To motivate this, it should also briefly define an adversary model. As far as I am aware, the two classes of adversaries we face are network adversaries that exploit poorly written existing rules, and rule author adversaries that try to subtly smuggle malicious rewrite rules into rulesets for purposes of MITM/phishing.