rules are not updateing

[kdy1968]

im running the selks 6 image.. after running update on the ETOpen Ruleset, created date is not changing..

nor is the update date, for a individual rule: also the default path for the rules is set to(from suricata.yaml): default-rule-path: /var/lib/suricata/rules

rule-files:

• suricata.rules

however that directory dosn't exist, do i need to manually install those rules?

[pevma]

The rules are under ets/suricata/rules/scirius.rules (selks6 yaml has it I think ). The message is when the ruleset was created originally. Updated time will be different(consequent to this after an update , reflecting last update).

[kdy1968]

thanks.. so i see in selks6-addin.yaml,

default-rule-path: /etc/suricata/rules
rule-files:
 - scirius.rules
# - botcc.rules
## - botcc.portgrouped.rules
# - ciarmy.rules
# - compromised.rules
# - drop.rules
# - dshield.rules
## - emerging-activex.rules
# - emerging-attack_response.rules
# - emerging-chat.rules
# - emerging-current_events.rules
# - emerging-dns.rules
# - emerging-dos.rules
# - emerging-exploit.rules
# - emerging-ftp.rules
## - emerging-games.rules
## - emerging-icmp_info.rules
## - emerging-icmp.rules
# - emerging-imap.rules
## - emerging-inappropriate.rules
## - emerging-info.rules
# - emerging-malware.rules
# - emerging-misc.rules
# - emerging-mobile_malware.rules
# - emerging-netbios.rules
# - emerging-p2p.rules
# - emerging-policy.rules
# - emerging-pop3.rules
# - emerging-rpc.rules
## - emerging-scada.rules
## - emerging-scada_special.rules
# - emerging-scan.rules
## - emerging-shellcode.rules
# - emerging-smtp.rules
# - emerging-snmp.rules
# - emerging-sql.rules
# - emerging-telnet.rules
# - emerging-tftp.rules
# - emerging-trojan.rules
# - emerging-user_agents.rules
# - emerging-voip.rules
# - emerging-web_client.rules
# - emerging-web_server.rules
## - emerging-web_specific_apps.rules
# - emerging-worm.rules
# - tor.rules
## - decoder-events.rules # available in suricata sources under rules dir
## - stream-events.rules  # available in suricata sources under rules dir
# - http-events.rules    # available in suricata sources under rules dir
# - smtp-events.rules    # available in suricata sources under rules dir
# - dns-events.rules     # available in suricata sources under rules dir
# - tls-events.rules     # available in suricata sources under rules dir
## - modbus-events.rules  # available in suricata sources under rules dir
## - app-layer-events.rules  # available in suricata sources under rules dir
## - dnp3-events.rules       # available in suricata sources under rules dir

in scirius.rules i see the dshield rule.. drop ip any any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5563; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2020_06_01; iprep:src,2402000,>,1;)

the suricata dsheild rule(from the current "emerging.rules.tar" looks like this: alert ip [89.248.165.0/24,45.146.165.0/24,167.248.133.0/24,185.193.91.0/24,45.155.205.0/24,193.27.229.0/24,192.241.227.0/24,195.54.160.0/24,192.241.226.0/24,192.241.228.0/24,94.102.51.0/24,185.153.197.0/24,80.82.77.0/24,92.63.197.0/24,45.146.164.0/24,79.124.62.0/24,194.147.140.0/24,185.173.35.0/24,92.118.161.0/24,192.241.218.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5839; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2021_03_04;)

shouldnt the scirius rule have the source ip addresses?...is it getting the ips from iprep:src...or scirius-iprep.list

[kdy1968]

the point of of my question above it doesnt seem im getting alerts like i should, previously i was using pfsense with suricata and i would get several alerts a day...with selks setup inline IPS, between my internet and router, im only seeing a couple alerts a week.....perhaps it is just the rules i have enabled...for instance:

i would expect the following to generate a alert, when running apt-get command: alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Ubuntu APT-GET"; content:"ubuntu.com"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/ubuntu-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000033;)

however it doesnt..would that be because of the "noalert" keyword?

[pevma]

Yes, noalert on the flowbit would make that rule not fire.

-- Regards, Peter Manev

On 7 Mar 2021, at 21:54, kdy1968 notifications@github.com wrote:

 the point of of my question above it doesnt seem im getting alerts like i should, previously i was using pfsense with suricata and i would get several alerts a day...with selks setup inline IPS, between my internet and router, im only seeing a couple alerts a week.....perhaps it is just the rules i have enabled...for instance:

i would expect the following to generate a alert, when running apt-get command: alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: Ubuntu APT-GET"; content:"ubuntu.com"; http_host; content:"Debian APT"; http_user_agent; flow:to_server,established; flowbits:set,traffic/id/ubuntu-apt; flowbits:set,traffic/label/software-update; noalert; sid:300000033;)

however it doesnt..would that be because of the "noalert" keyword?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[pevma]

Here Scirius uses iprep to combine all those ip rules into one, hence the rule itself looks different but the end result/purpose is the same.

-- Regards, Peter Manev

On 6 Mar 2021, at 23:42, kdy1968 notifications@github.com wrote:

 thanks.. so i see in selks6-addin.yaml,

default-rule-path: /etc/suricata/rules rule-files:

• scirius.rules

  - botcc.rules

  - botcc.portgrouped.rules

  - ciarmy.rules

  - compromised.rules

  - drop.rules

  - dshield.rules

  - emerging-activex.rules

  - emerging-attack_response.rules

  - emerging-chat.rules

  - emerging-current_events.rules

  - emerging-dns.rules

  - emerging-dos.rules

  - emerging-exploit.rules

  - emerging-ftp.rules

  - emerging-games.rules

  - emerging-icmp_info.rules

  - emerging-icmp.rules

  - emerging-imap.rules

  - emerging-inappropriate.rules

  - emerging-info.rules

  - emerging-malware.rules

  - emerging-misc.rules

  - emerging-mobile_malware.rules

  - emerging-netbios.rules

  - emerging-p2p.rules

  - emerging-policy.rules

  - emerging-pop3.rules

  - emerging-rpc.rules

  - emerging-scada.rules

  - emerging-scada_special.rules

  - emerging-scan.rules

  - emerging-shellcode.rules

  - emerging-smtp.rules

  - emerging-snmp.rules

  - emerging-sql.rules

  - emerging-telnet.rules

  - emerging-tftp.rules

  - emerging-trojan.rules

  - emerging-user_agents.rules

  - emerging-voip.rules

  - emerging-web_client.rules

  - emerging-web_server.rules

  - emerging-web_specific_apps.rules

  - emerging-worm.rules

  - tor.rules

  - decoder-events.rules # available in suricata sources under rules dir

  - stream-events.rules # available in suricata sources under rules dir

  - http-events.rules # available in suricata sources under rules dir

  - smtp-events.rules # available in suricata sources under rules dir

  - dns-events.rules # available in suricata sources under rules dir

  - tls-events.rules # available in suricata sources under rules dir

  - modbus-events.rules # available in suricata sources under rules dir

  - app-layer-events.rules # available in suricata sources under rules dir

  - dnp3-events.rules # available in suricata sources under rules dir

in scirius.rules i see the dshield rule.. drop ip any any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5563; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2020_06_01; iprep:src,2402000,>,1;)

the suricata dsheild rule(from the current "emerging.rules.tar" looks like this: alert ip [2.59.200.0/22,5.134.128.0/19,5.180.4.0/22,5.181.84.0/22,5.183.60.0/22,5.188.10.0/23,24.137.16.0/20,24.170.208.0/20,24.233.0.0/19,24.236.0.0/19,27.126.160.0/20,27.146.0.0/16,31.14.65.0/24,31.14.66.0/23,31.40.156.0/22,36.0.8.0/21,36.37.48.0/20,36.116.0.0/16,36.119.0.0/16,37.156.64.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 1"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2818; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2021_03_04;)

shouldnt the scirius rule have the source ip addresses?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[kdy1968]

thank you for the replies, one more question: I would like to setup a geoip rule, based on the following, https://redmine.openinfosecfoundation.org/projects/suricata/wiki/GeoIP

it mentions, to make sure build info has .libgeoip: yes idont specifically see that, i do see, geoip2 support: yes

if i try and add a rule such as: alert ip any any -> any any (msg:"GeoIP from outside US "; geoip:src,!US; sid:55555555; rev:1;) i get: SC_ERR_INVALID_SIGNATURE: error parsing signature

to add the rule i did the following: created a goeip.rules file, and pasted the above rule in it add custom source upload individual signatures file select geoip.rules file upload

[pevma]

You should probably have a longer, more detailed message in /var/log/suricata/suricata.log

[kdy1968]

thanks..i did find that the issue was that i had not defined the geoip database in the config, i still got a error when importing the rule. this time there was no additional info in the log file, but the rule was imported...and i am getting alerts as i wanted..kinda.... however when i look at the alerts....in eve or in kibana map dashboard...eve is showing the geoip info for the destination...as well kibanna dashboard is mapping by the destination...i was more interrested n the source locations..is there a way for the alert to provide geopip for the source in the allert...as well as map via source address..

[pevma]

This part is handled in the /etc/logstash/logstash.conf, you can have a look there and change the logic.

[kdy1968]

thanks appreciate your assistance....closing