Suricata/Setting-up-rules
| You are here: | Setting-up rules
|
Description
Suricata is based on signature files to detect attacks.
We will now download two different sets of rules: from Snort VRT and from Emerging Threats.
Emerging Threats
Free version
The free version covers a large range of attacks and the signatures are updated daily.
$ cd /etc/suricata/ $ wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz $ tar xzvf emerging.rules.tar.gz
You should now have a rules/ directory.
Commercial version
The commercial version is worth $350 a year per sensor.
Emerging Threats Pro is the commercial ruleset based upon and supporting the Emerging Threats open source project.
The signature file the commercial version offers is wider than the one provided by the open source project, and is mainly focused on malware. It is updated on a daily basis.
VRT rules
Free version
A free licence enables to get the signatures of the commercial edition with a delay of 30 days.
Once you have a oinkcode, download and uncompress the rules tar.gz file in a temporary directory, and move all rules to suricata's rules/ directory.
# tar xzvf snortrules-snapshot-2861.tar.gz # mv rules/* /etc/suricata/rules/
For more information, please refer to this post (currently in french).
Commercial version
The commercial licence enables to get the latests updates immediately when available.
Manually creating rules
Description
This section describes how to manually create rules. This is optional but some features won't be covered by the basic rules set and you will need to manually create rules for using flowint for example.
Flowint
Syntax
Thank you for your comprehension.
Example
Here is an example tested against vsftpd to trigger an alert after 2 incorrect login attemps:
alert tcp any any -> any any (msg:"Counting Failed Logins"; content:"incorrect"; \ flowint: username, notset; flowint:username, =, 1; noalert; sid:1;) alert tcp any any -> any any (msg:"More than two Failed Logins!"; content:"incorrect"; \ flowint: username, isset; flowint:username, +, 1; flowint:username, >, 2; sid:2;)
Here is how the alert has been triggered:
$ ftp 192.168.100.35 Connected to 192.168.100.35. 220 (vsFTPd 2.0.7) Name (192.168.100.35:aldeid): root 331 Please specify the password. Password: <<abcd>> 530 Login incorrect. Login failed. ftp> user root 331 Please specify the password. Password: <<def>> 530 Login incorrect. Login failed.
And here is the alert:
03/16/2011-17:35:31.560382 [**] [1:2:0] More than two Failed Logins! [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 -> 192.168.100.37:3656
Limitations
Notice that the alert will be triggered only if the attempts are done within the same session. In case you close the session and try a new identification, the counter will be reseted and no alert will be triggered.
The following example won't trigger any alert:
$ ftp 192.168.100.35 Connected to 192.168.100.35. 220 (vsFTPd 2.0.7) Name (192.168.100.35:aldeid): root 331 Please specify the password. Password: <<<abc>>> 530 Login incorrect. Login failed. ftp> quit 221 Goodbye. $ ftp 192.168.100.35 Connected to 192.168.100.35. 220 (vsFTPd 2.0.7) Name (192.168.100.35:aldeid): root 331 Please specify the password. Password: <<<def>>> 530 Login incorrect. Login failed. ftp> quit 221 Goodbye.
After the "quit" command, the connection is closed, so the flow instance is destroyed after that, and the flowint vars will be released too. Then a new connection is set for another login retry, and Suricata creates a new flow instance, but flowint vars live in the context of a flow.
Rules Managers
- PulledPork (recommended by Snort)
- Oinkmaster