Skip to content

Commit

Permalink
Merge pull request #109 from Security-Onion-Solutions/dev
Browse files Browse the repository at this point in the history
Regex and more
  • Loading branch information
dougburks authored Jul 29, 2024
2 parents 42d89b9 + 58b54f5 commit f976681
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 0 deletions.
45 changes: 45 additions & 0 deletions detections.rst
Original file line number Diff line number Diff line change
Expand Up @@ -121,3 +121,48 @@ For more information about managing :ref:`nids` rules for :ref:`suricata`, pleas
For more information about managing :ref:`sigma` rules for :ref:`elastalert`, please see the :ref:`sigma` section.

For more information about managing :ref:`yara` rules for :ref:`strelka`, please see the :ref:`yara` section.

Technical Background
--------------------

Detections abstracts the underlying alerting engine and simplifies writing detections for different rule types. Here's what happens behind the scenes.

Enable and Disable (Bulk and Individual) Operations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Elastalert/Sigma
- Immediate change in the UI and on disk

Suricata/NIDS
- UI Bulk and Individual: Immediate change in the UI, disk change once the `idstools` state runs again
- Regex: UI and disk change once the `soc` state runs again and the :ref:`suricata` engine syncs

Strelka/YARA
- Immediate change in the UI, disk change once the `strelka` state runs again

Tuning
~~~~~~

Elastalert/Sigma
- Immediate change in the UI and on disk

Suricata/NIDS
- Immediate change in the UI, disk change once the `idstools` state runs again

Strelka/YARA
- N/A

Ruleset Changes
~~~~~~~~~~~~~~~

Elastalert/Sigma
- Sigma Ruleset Packages: UI and disk change once the `soc` state runs again and the :ref:`elastalert` engine syncs
- Git repo (https or disk): UI and disk change once the `soc` state runs again and the :ref:`elastalert` engine syncs

Suricata/NIDS
- ETOPEN/ETPRO: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs
- Custom URL: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs
- Custom Local File: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs

Strelka/YARA
- Git repo (https or disk): UI and disk change once the `soc` state runs again and the :ref:`strelka` engine syncs
24 changes: 24 additions & 0 deletions nids.rst
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,30 @@ To tune the detection:
.. image:: images/60_detection_nids_2_tuning_2_add.png
:target: _images/60_detection_nids_2_tuning_2_add.png

Enabling and Disabling with Regex
---------------------------------

In 2.4.90, NIDS rules can now be enabled or disabled in Detections using regex patterns. Navigate to SOC :ref:`administration` - Configuration and filter for ``regex``, then drill down into soc --> config --> server --> modules --> suricataengine --> disableRegex or enableRegex.

The regex flavor is Google RE2: https://github.com/google/re2/wiki/Syntax

In ETOPEN, categories are prepended to the rule name. For example, the ``ET EXPLOIT PHP-Live-Chat Get Shell Attempt Inbound`` rule is in the ``ET EXPLOIT`` category. So suppose you want to disable the ``ET EXPLOIT`` and ``ET MALWARE`` categories but NOT the ``ET EXPLOIT_KIT`` category. You would use the following regex patterns:

::

ET EXPLOIT\s
ET MALWARE\s

The ``\s`` is a shortcut for whitespace and is useful in this situation to make sure we are only matching the specific categories that we want to disable.

If a detection would be matched by both an enable and disable regex, it is enabled. If a detection's status is changed via the :ref:`detections` interface but it is currently matched by a regex pattern, the change initiated from the :ref:`detections` interface is reverted and a message is shown.

Enable and disable operations that are based on regex patterns are actioned during the daily rule update. If you have made a change to the regex patterns and would like to have it implemented more immediately:

- Under Grid Configuration, click the ``SYNCHRONIZE GRID`` button and wait about 5 minutes for it to complete.
- Navigate to :ref:`detections`, click the Options menu, select :ref:`suricata` in the dropdown menu, click the ``FULL UPDATE`` button, and then wait for it to complete.
- Refresh the :ref:`detections` page and you should see the relevant rule statuses have changed.

Adding New NIDS Rules
---------------------

Expand Down

0 comments on commit f976681

Please sign in to comment.