Comments (12)
pevma
commented on June 6, 2024
Yes - this is the only option - disable the rule as a whole (not per IP basis)
You have to apply the ruleset (after you disable that particular rule) - update/restart in the suricata submenu.
from scirius.
b-u-g-s
commented on June 6, 2024
Pevma,
I understand this is the only option in Scirius, but isnt there an option with Suricata to disable rules based on SRC or DST IP address? as it is possible in Snort?
In snort, one just need to update the threshold.conf file (supress rule)
Looking at this article it seems it is also possible to do that in Suricata?
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
Sorry if I am asking obvious questions, I am still very new to Suricata and starting to learn it... i.e. learning that it is using the same rules as Snort... so maybe the same threshold.conf file?
According to the article, Surricata uses a threshold.config file
http://www.aldeid.com/wiki/Suricata-vs-snort
The problem is that on SELKS 2.0, I can't find that file neither in /etc/suricata/rules
or /etc/suricata/rules/rules (why is there 2x "rules" folder!?)
Will try experimenting with this, but if there is indeed a way to "manually" suppress/disable rules based on SRC or DST IP then it would be great to have also an option in the SCIRIUS GUI.
This is a very powerful mechanism to tune our IDS rules with a bit more granularity.
I have heard from a work colleague that Snort is about to allow suppress with port numbers too in their next version. Again very useful especially with a very common false positive related to a TOR Exit alert which in fact is an NTP request to a NTP cluster node. Being able to filter on a rule to say ignore this alert from those local IP if they go on this port (53) is very granular and flexible.
Ok, I can just edit the original rule, but that's not the point :)
(I prefer to keep everything standard/default and just customise the threshold file)
from scirius.
b-u-g-s
commented on June 6, 2024
Right, so I managed to suppress rules based on SRC or DST ip.
Realising that Suricata uses the same rules/files as snort makes this fairly easy.
Looking at /etc/suricata/suricata.yaml we can see that the default files for threshold is /etc/suricata/threshold.config
Then if you already have a snort threshold.conf file (i.e.: if you are running snort somewhere else on your network or Security Onion) it is just a matter of copying that file across and renaming it threshold.config.
The format for adding rules to that file can be found on many internet/google article related to snort.
A suggestion if I may, it would be nice to have a template or empty threshold.config file by default in /etc/suricata/threshold.config
I know, it is not that hard to look at the config file, but for newbies like me who don't really understand Suricata (starting to though!) it would make the transition from Snort or other NSM much smoother!
Last question... where does Scirius stores the rules it disables?!
from scirius.
pevma
commented on June 6, 2024
You can not disable rules on a per by IP basis using Scirius but you can use that functionality as per standard Suricata feature (as you already did find :) ).
I think it is a nice suggestion (about the threshold.conf ) - although not really tough to come up by on your own.
The disabled rules are in the DB , not in /etc/suricata/rules/scirius.rules (thanks @regit ).
from scirius.
b-u-g-s
commented on June 6, 2024
Doh! I didn't realise Scirius was storing those rules in a database!
Makes sense now, thanks!
from scirius.
b-u-g-s
commented on June 6, 2024
Sorry... but that means Suricata also uses the database then right? So it knows not to alert on those rules?
Edit/PS: I am assuming Scirius can be used to manage Suricata and not just as a Suricata report tool
from scirius.
regit
commented on June 6, 2024
Suricata do no use the db. Interaction between Suri and scirius is just the scirius.rules file.
from scirius.
b-u-g-s
commented on June 6, 2024
Ok, so I might be a bit slow here but...
If Scirius saves the Disabled Rules in its Database (/opt/selks/scirius/db/db.sqlite3
And Suricata does not access that database
Then it means disabling a rule in Scirius only removes it from the Scirius view and it does not really disable the rule for Suricata, meaning the rule will still be reported in the SELKS Dashboard.
If the above is right, then Scirius is not really a Suricata Management framework, but a reporting framework. Or maybe a bit of both :)
from scirius.
pevma
commented on June 6, 2024
Suricata loads whatever rules are available in /etc/suricata/rules/scirius.rules. So if you disable a rule from Scirius - it will be removed from /etc/suricata/rules/scirius.rules and that way Suricata will not load it - hence disable it.
from scirius.
b-u-g-s
commented on June 6, 2024
Doh!!! so that means because I deleted the disabled rules manually in the Scirius database, I have lost those 3 rules!
That was a stupid move :o/
Will try to find a way to restore the original scirius.rules
I was a bit too trigger happy today...
from scirius.
b-u-g-s
commented on June 6, 2024
and thanks for the explanation, now I understand a bit better how this is all stitched together :)
from scirius.
regit
commented on June 6, 2024
This is fixed by 116e15f. Please reopen if needed.
from scirius.
Related Issues (20)
- No Capture stats, Memory usage and problem indicators statisctics using the new scirius version HOT 8
- Error add public source HOT 7
- KeyError on Hunt whith latest django-webpack-loader (v1.0.0)
- First start issue HOT 5
- Python 2.7???? HOT 5
- does scirius fetch dashboard from kibana? HOT 1
- Scirius CE v3.7.0 GUI problem in safari 15 HOT 2
- docker: Get cyberchef pre-installed in the docker image HOT 2
- Failed to minify the code from this file: ./node_modules/patternfly-react/dist/esm/common/helpers.js:14 HOT 1
- Logging with python requests library error: Forbidden(403) CSRF verification failed HOT 1
- USE_KIBANA/ELASTICSEARCH=0 ignored, still tries to connect HOT 2
- Set python_requires and clarify Python support
- Number of rules on the source page never increments during updates in Scirius
- How to show more than 20 last rules activity in scirius?
- Batch activate commented rules
- Unable to Build Docker Image
- Fails on sources updating HOT 3
- Suricata won't restart after build & push ruleset HOT 3
- Install issues
- Error reading webpack-stats.prod.json
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scirius.