Custom rules not taken into account about scirius HOT 14 CLOSED

Hello,

You are seeing the alert in scirius.rules. So scirius has done most of his job. Now you have two possibilities. Or Suricata has not been restarted or DNS is not active.working in your config.
To be sure of 1. restart Suricata service with 'service suricata restart'. For 2. check if you see the DNS request in the log. As it seems to be the case, I think 1 is more likely.

from scirius.

Hello,

Thank you for your quick answer.

1. : As I did "Update + Build + Push", Suricata should be restarted. I have issued the Suricata restart, without any improvement.
2. Do you mean in the eve.json file?

<Notice> - This is Suricata version 2.1beta3 RELEASE

Could this be a bug in the beta release? How could I troubleshoot further. I am stuck for now! :(

Thank you so much.
Best Regards,

from scirius.

Hi,

1. Yes, you can look in the eve.main file or in kibana. You should see some '"event_type":"dns" entry.

I don't think this is a bug in this suricata version.

from scirius.

Yes, I see envents in Kibana or eve.json, who match my rule!

I restarted all the components, even the VM but it does not work for now.

What would be the next step to troubleshoot?

Thank you very much.
Best Regards,

from scirius.

Hi,

Open that record, find the "flow_id" and filter on that in the "ALL" dashboard - that would give you the whole flow view.

It could be that it might be related to the rule syntax.
Try to remove the dns query keyword (restart and update etc..) and see if that will trigger any difference ?

Thank you

from scirius.

Hi again,

I simplified the rule, without any improvement.
What I also did is, copy from a SSLBL abuse.ch rule, modify the fingerprint to the on from one of my server. I did see the traffic in eve.json but no alert... It is driving me crazy.

I would like to know what I am doing wrong in my process:

1. Create a .txt file with only one "alert" rule.
2. Create a source, importing this .txt.
3. Include this source+unique category in Default Ruleset.
4. Tab "Suricata", build+push.
5. Test it by generating traffic. No alert showing on scirius, no hit on the specific rule.

Do you confirm it is the right way to achieve my goal?

from scirius.

Filename of my uploaded file:
test.txt

Content of the file:
alert tls any any -> any any (msg:"SSL Fingerprint of domain"; tls.fingerprint:"af:92:c3:40:b9:d9:3d:e8:b3:29:d0:93:ac:e0:ae:67:07:05:ed:70"; sid:9025444043; rev:1;)

from scirius.

I've just used the same DNS rule with the same version of suricata (and same scirius although not on SELKS) and it fires nicely. So this is not a bug in suricata.
Idea: did you change the hostname ? If this is the case then you need to do it by editing suricata object too. Or you won't see anything in scirius. Simple test: do you have info in suricata performance graph ?

from scirius.

Hi,

No I did not change it.

Moreover, the default rules are working just fine, fact that rules out this idea:

The only thing not working is importing custom rules.

Does the imported file need some specific values or data? I am quite sure that it is not the case as scirius is understanding and applying my rule.

from scirius.

Is there any err related to that rule (or rule loading) in /var/log/suricata.log ?
Are you using Scirius on SELKS or stand alone (latest)?

from scirius.

Hello again,

Sorry for the delay. I made good progress and managed to get it working by disabling every other sources in the ruleset.

So now, the following rule is triggered:
alert ip any any -> any 502 (msg:"Modbus traffic detected!"; sid:123596;)

Be the TCP/IP Modbus exchange, confirmed by Wireshark:
(1) -> TCP SYN
(2) <- TCP SYN, ACK
(3) -> TCP ACK
(4) -> TCP with Modbus Payload

My current problem is that this alert is only triggered for packet (1) and not (3) or (4). I think it should. In the end, I would like to alert for (4), and eventually parse the Modbus payload.

Do you have and idea on my problem?

Thanks again for your help.

from scirius.

What will be the result if you use this rule with your particular pcap:
alert tcp any any -> any 502 (msg:"Modbus traffic detected!"; sid:123596;)
This and the previous rule are not really doing much than detecting IP or TCP traffic on dst port 502.

from scirius.

You mean with this rule I won't be able to see and test payload for specific content? So how should I do?

from scirius.

Depends what exactly is it that you are looking for. Please find below some guidelines you can use:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords

from scirius.