Update suricata rules

[Mehrdad-hajizadeh]

Suricata requires some pre-defined rules for its detection, hence:

• [x] Where are they? how can you assess the current situation?
• [x] How can we add our own rules?
• [x] How can we get updates from 3rd parties like prrofpoint
• [x] Test the arbitrary rules

[ykrishnatuc]

Suricata Rule Management and Configuration

1. Where Are the Suricata Rules Located, and How we can assess the current situation?

• Location of Suricata Rules:

  • Suricata stores its rule files in the /etc/suricata/rules/ directory. Rules managed by suricata-update are located in /var/lib/suricata/rules/.

• Assessing the Current Situation:

  • To check which rule files are present, list the contents of the rules directory:

    ls -al /etc/suricata/rules/

  • To validate the Suricata configuration and check for errors, run:

    sudo suricata -T -c /etc/suricata/suricata.yaml -v

  • This command will test the Suricata configuration file and report any syntax errors or issues related to the rules.

2. How Can We Add Our Own Rules?

• Basic Suricata Rule Syntax:

  action proto src_ip src_port -> dest_ip dest_port (msg:"Alert message"; content:"string"; sid:12345;)

  • Components:
  • action: Action to take when the rule is matched (e.g., alert, drop).
  • proto: Protocol to match (tcp, udp, etc.).
  • src_ip/src_port: Source IP address and port.
  • dest_ip/dest_port: Destination IP address and port.
  • msg: Alert message to display.
  • content: (Optional) Specific content to match in the packet payload.
  • sid: Unique identifier for the rule.

• Adding Custom Rules:

  • To add a custom rule, edit the local.rules file:

    sudo nano /etc/suricata/rules/local.rules

  • Example rule to detect SSH connections:

    alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH connection detected"; flow:to_server,established; content:"SSH-2.0-OpenSSH"; sid:100001;)

  • Save and close the file.

• Apply the New Rules:

  • Update the rules and restart Suricata:

    sudo suricata-update
    sudo systemctl restart suricata.service

3. How Can We Get Updates from Third Parties like Proofpoint?

• Obtaining Third-Party Rule Sets:

  • To get rules from third-party providers like Proofpoint's Emerging Threats (ET) ruleset, subscribe on the Proofpoint ET Pro Ruleset page.
  • The ET Pro ruleset requires a subscription, which is available for organizations. But in the screenshot I have attached below, I can see that there is an open version of the ruleset for Proofpoint, maybe we can use that.
  • If license type is MIT, we can use without any subscription.

• List Available Rule Sources:

  • To see all available rule sources, use:

    sudo suricata-update list-sources

    

  • This command lists rule sources such as et/open, et/pro, oisf/trafficid, scwx/enhanced, etc., showing their vendors, licenses, and subscription requirements.

• Enable and Update Third-Party Rules:

  • Enable specific rule sources, for example:

    sudo suricata-update enable-source et/open

  • Run the update to download and apply the latest rules:

    sudo suricata-update

4. How to Test Arbitrary Rules?

• Test the Suricata Configuration:

  • Check the configuration file for errors:

    sudo suricata -T -c /etc/suricata/suricata.yaml -v

• Generate Traffic to Match Rules:

  • Use tools like curl to generate test traffic:

    curl http://example.com

  • Check Alerts:
  • View the Suricata log file to see if the rule triggered:

    sudo cat /var/log/suricata/fast.log

• Clear Logs for Future Tests:

  • Clear the fast.log file for new testing:

    sudo truncate -s 0 /var/log/suricata/fast.log

By following above steps, we can effectively manage, update, and test Suricata rules.