Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regex and more #109

Merged
merged 9 commits into from
Jul 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions detections.rst
Original file line number Diff line number Diff line change
Expand Up @@ -121,3 +121,48 @@ For more information about managing :ref:`nids` rules for :ref:`suricata`, pleas
For more information about managing :ref:`sigma` rules for :ref:`elastalert`, please see the :ref:`sigma` section.

For more information about managing :ref:`yara` rules for :ref:`strelka`, please see the :ref:`yara` section.

Technical Background
--------------------

Detections abstracts the underlying alerting engine and simplifies writing detections for different rule types. Here's what happens behind the scenes.

Enable and Disable (Bulk and Individual) Operations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Elastalert/Sigma
- Immediate change in the UI and on disk

Suricata/NIDS
- UI Bulk and Individual: Immediate change in the UI, disk change once the `idstools` state runs again
- Regex: UI and disk change once the `soc` state runs again and the :ref:`suricata` engine syncs

Strelka/YARA
- Immediate change in the UI, disk change once the `strelka` state runs again

Tuning
~~~~~~

Elastalert/Sigma
- Immediate change in the UI and on disk

Suricata/NIDS
- Immediate change in the UI, disk change once the `idstools` state runs again

Strelka/YARA
- N/A

Ruleset Changes
~~~~~~~~~~~~~~~

Elastalert/Sigma
- Sigma Ruleset Packages: UI and disk change once the `soc` state runs again and the :ref:`elastalert` engine syncs
- Git repo (https or disk): UI and disk change once the `soc` state runs again and the :ref:`elastalert` engine syncs

Suricata/NIDS
- ETOPEN/ETPRO: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs
- Custom URL: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs
- Custom Local File: UI and disk change once the `soc` and `idstools` states run again and the :ref:`suricata` engine syncs

Strelka/YARA
- Git repo (https or disk): UI and disk change once the `soc` state runs again and the :ref:`strelka` engine syncs
24 changes: 24 additions & 0 deletions nids.rst
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,30 @@ To tune the detection:
.. image:: images/60_detection_nids_2_tuning_2_add.png
:target: _images/60_detection_nids_2_tuning_2_add.png

Enabling and Disabling with Regex
---------------------------------

In 2.4.90, NIDS rules can now be enabled or disabled in Detections using regex patterns. Navigate to SOC :ref:`administration` - Configuration and filter for ``regex``, then drill down into soc --> config --> server --> modules --> suricataengine --> disableRegex or enableRegex.

The regex flavor is Google RE2: https://github.com/google/re2/wiki/Syntax

In ETOPEN, categories are prepended to the rule name. For example, the ``ET EXPLOIT PHP-Live-Chat Get Shell Attempt Inbound`` rule is in the ``ET EXPLOIT`` category. So suppose you want to disable the ``ET EXPLOIT`` and ``ET MALWARE`` categories but NOT the ``ET EXPLOIT_KIT`` category. You would use the following regex patterns:

::

ET EXPLOIT\s
ET MALWARE\s

The ``\s`` is a shortcut for whitespace and is useful in this situation to make sure we are only matching the specific categories that we want to disable.

If a detection would be matched by both an enable and disable regex, it is enabled. If a detection's status is changed via the :ref:`detections` interface but it is currently matched by a regex pattern, the change initiated from the :ref:`detections` interface is reverted and a message is shown.

Enable and disable operations that are based on regex patterns are actioned during the daily rule update. If you have made a change to the regex patterns and would like to have it implemented more immediately:

- Under Grid Configuration, click the ``SYNCHRONIZE GRID`` button and wait about 5 minutes for it to complete.
- Navigate to :ref:`detections`, click the Options menu, select :ref:`suricata` in the dropdown menu, click the ``FULL UPDATE`` button, and then wait for it to complete.
- Refresh the :ref:`detections` page and you should see the relevant rule statuses have changed.

Adding New NIDS Rules
---------------------

Expand Down
Loading