Maintaining Suricata Rules

Tracking the Activity

tracking specific rules e.g. 221004

egrep -v '1:221004(5|6):2' /var/log/suricata/fast.log

Additional Sources

as suri

grep ^suri /etc/passwd
chsh -s /bin/bash suri
su - suri

suricata-update -h
suricata-update list-sources
suricata-update list-enabled-sources

suricata-update enable-source oisf/trafficid
suricata-update enable-source et/open
suricata-update enable-source ptresearch/attackdetection

#suricata-update disable-source oisf/trafficid
#suricata-update disable-source et/open
#suricata-update disable-source ptresearch/attackdetection

^D
chsh -s /bin/false suri

you now HAVE TO update the rules AND reload the daemon as well

alternatively

Disabling Rules

grep 2200003 /etc/suricata/rules/*.rules
vi /etc/suricata/disable.conf

#SURICATA IPv4 truncated packet
2200003
#ET POLICY Dropbox Client Broadcasting
2012648
#SURICATA STREAM Packet with invalid ack
2210045
#SURICATA STREAM SHUTDOWN RST invalid ack
2210046
#tor
2522990
2522298

you now HAVE TO update the rules AND reload the daemon as well

Updating Rules

as suri

grep ^suri /etc/passwd
chsh -s /bin/bash suri
su - suri
suricata-update

check and reload

date
ls -lhF /var/lib/suricata/rules/suricata.rules
grep 2200003 /var/lib/suricata/rules/suricata.rules

^D
chsh -s /bin/false suri
suricatasc -c reload-rules

Define your Own Rules

Troubleshooting

when updating the rules as suri user,

26/12/2018 -- 13:32:49 - <Error> -- [ERRCODE: SC_ERR_CHANGING_CAPS_FAILED(157)] - capng_change_id for main thread failed
26/12/2018 -- 13:32:49 - <Error> -- Suricata test failed, aborting.
26/12/2018 -- 13:32:49 - <Error> -- Restoring previous rules.

==> triple check the permissions as shown above and worst-case scenario, restart the daemon

when updating the rules/*,

26/12/2018 -- 13:38:20 - <Warning> -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
26/12/2018 -- 13:38:20 - <Error> -- Suricata test failed, aborting.
26/12/2018 -- 13:38:20 - <Error> -- Restoring previous rules.

==> DO NOT EDIT the Emerging rules by yourself, use enable.conf and disable.conf instead.

trying to reload the daemon

Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory attempt to update rules as user

==> restart the daemon clean while checking the logs and eventually forcing enable: yes for it

Resources

Operations

Rules

Trash

cp /usr/lib/python2.7/dist-packages/suricata/update/configs/update.yaml update.yaml

disable e.g. the 2200003 rule

cp -pi /etc/suricata/rules/decoder-events.rules /etc/suricata/rules/decoder-events.rules.dist
vi /etc/suricata/rules/decoder-events.rules

#alert pkthdr any any -> any any (msg:"SURICATA IPv4 truncated packet"; decode-event:ipv4.trunc_pkt; classtype:protocol-command-decode; sid:2200003; rev:2;)

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml