Suricata/Setting-up-rules

From aldeid
Jump to navigation Jump to search
You are here:
Setting-up rules

Description

Suricata is based on signature files to detect attacks.

We will now download two different sets of rules: from Snort VRT and from Emerging Threats.

Emerging Threats

Free version

The free version covers a large range of attacks and the signatures are updated daily.

$ cd /etc/suricata/
$ wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
$ tar xzvf emerging.rules.tar.gz

You should now have a rules/ directory.

Commercial version

The commercial version is worth $350 a year per sensor.

Emerging Threats Pro is the commercial ruleset based upon and supporting the Emerging Threats open source project.

The signature file the commercial version offers is wider than the one provided by the open source project, and is mainly focused on malware. It is updated on a daily basis.

VRT rules

Free version

A free licence enables to get the signatures of the commercial edition with a delay of 30 days.

Once you have a oinkcode, download and uncompress the rules tar.gz file in a temporary directory, and move all rules to suricata's rules/ directory.

# tar xzvf snortrules-snapshot-2861.tar.gz
# mv rules/* /etc/suricata/rules/

For more information, please refer to this post (currently in french).

Commercial version

The commercial licence enables to get the latests updates immediately when available.

Manually creating rules

Description

This section describes how to manually create rules. This is optional but some features won't be covered by the basic rules set and you will need to manually create rules for using flowint for example.

Flowint

Syntax

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Example

Here is an example tested against vsftpd to trigger an alert after 2 incorrect login attemps:

alert tcp any any -> any any (msg:"Counting Failed Logins"; content:"incorrect"; \
 flowint: username, notset; flowint:username, =, 1; noalert; sid:1;)
alert tcp any any -> any any (msg:"More than two Failed Logins!"; content:"incorrect"; \
 flowint: username, isset; flowint:username, +, 1; flowint:username, >, 2; sid:2;)

Here is how the alert has been triggered:

$ ftp 192.168.100.35
Connected to 192.168.100.35.
220 (vsFTPd 2.0.7)
Name (192.168.100.35:aldeid): root
331 Please specify the password.
Password: <<abcd>>
530 Login incorrect.
Login failed.
ftp> user root
331 Please specify the password.
Password: <<def>> 
530 Login incorrect.
Login failed.

And here is the alert:

03/16/2011-17:35:31.560382  [**] [1:2:0] More than two Failed Logins! [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 -> 192.168.100.37:3656

Limitations

Notice that the alert will be triggered only if the attempts are done within the same session. In case you close the session and try a new identification, the counter will be reseted and no alert will be triggered.

The following example won't trigger any alert:

$ ftp 192.168.100.35
Connected to 192.168.100.35.
220 (vsFTPd 2.0.7)
Name (192.168.100.35:aldeid): root
331 Please specify the password.
Password: <<<abc>>>
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.

$ ftp 192.168.100.35
Connected to 192.168.100.35.
220 (vsFTPd 2.0.7)
Name (192.168.100.35:aldeid): root
331 Please specify the password.
Password: <<<def>>>
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.

After the "quit" command, the connection is closed, so the flow instance is destroyed after that, and the flowint vars will be released too. Then a new connection is set for another login retry, and Suricata creates a new flow instance, but flowint vars live in the context of a flow.

Rules Managers