search

StamusNetworks / scirius

Scirius is a web application for Suricata ruleset management and threat hunting.
GNU General Public License v3.0
614 stars 150 forks source link

Unable to change rule action to Drop #212

Closed ssvinarev closed 3 years ago

ssvinarev commented 3 years ago

Hi!

Unable to change rule action from "alert" to "drop" in Scirius:

  1. Find a rule by its signature_id, go to that rule.
  2. Action -> Edit rule -> Change "Action" to Drop -> Apply transformation to ruleset, containing that rule -> Valid Fine, now I can see, that there is a rule transformation in a ruleset (action is "drop" now). But dropping traffic doesn't work. Like earlier, it just alerts when rule hits.

The only working way I found to really change action is to find the rule in /etc/suricata/rules/scirius.rules and edit action from alert to drop. And reload the rules (suricatasc -c reload-rules). This works - traffic is dropped now.

But this is, of course, the wrong way of editing rules. What is a correct and working procedure of editing rules in Scirius? And how to log dropped events?

Thanks!

P.S.: Its af_packet in ips mode, inline.

pevma commented 3 years ago

Did you try to push and update the ruelset - from the suricata menu in Scirius ?

ssvinarev commented 3 years ago

No.. That fixed the problem. Thanks!

One more thing: how to log dropped events? Need to log all dropped hits. Adding - drop: enabled: yes filename: drop.log append: yes to outputs: and to logging: outputs: of /etc/suricata/suricata.yaml and /etc/suricata/selks6-addin.yaml doesn't help.

pevma commented 3 years ago

Use the eve-log section (example) https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L246

ssvinarev commented 3 years ago

Tried already- it doesn't work. The log is empty, while traffic is being blocked.

pevma commented 3 years ago

Did you make the change in /etc/suricata/selks6-addin.yaml ?

ssvinarev commented 3 years ago

Yes. Tried in selks6-addin.yaml, in suricata.yaml, both.

suricata --dump-config | grep drop

outputs.1.eve-log.types.7 = drop outputs.1.eve-log.types.7.drop = (null) outputs.1.eve-log.types.7.drop.alerts = yes outputs.1.eve-log.types.7.drop.flows = all outputs.12 = drop outputs.12.drop = (null) outputs.12.drop.enabled = yes outputs.12.drop.filename = drop.log outputs.12.drop.append = yes logging.outputs.3 = drop logging.outputs.3.drop = (null) logging.outputs.3.drop.enabled = yes logging.outputs.3.drop.filename = /var/log/suricata/drop.log logging.outputs.3.drop.append = yes

pevma commented 3 years ago

Actually, can you disable the drop/log and use only eve.json? those events should be there.

ssvinarev commented 3 years ago

Yes. Actually, this is how it is being done now. I think, issue can be closed.

pevma commented 3 years ago

ok thank you !