Adding Local Rules¶
You can add NIDS rules in
/opt/so/saltstack/local/salt/idstools/local.rules on your manager. Within 15 minutes, Salt should then copy those rules into
/opt/so/rules/nids/local.rules. The next run of
idstools should then merge
/opt/so/rules/nids/all.rules which is what Suricata reads from.
If you don’t want to wait for these automatic processes, you can run them manually from the manager (replacing
$SENSORNAME_$ROLE as necessary):
sudo salt-call state.highstate sudo so-rule-update sudo salt $SENSORNAME_$ROLE state.apply suricata
Let’s add a simple rule to
/opt/so/saltstack/local/salt/idstools/local.rulesthat’s really just a copy of the traditional
id check returned rootrule:
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root 2"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:7000000; rev:1;)
From the manager, tell Salt to update:
sudo salt-call state.highstate
Restart Suricata (replacing
sudo salt $SENSORNAME_$ROLE state.apply suricata
If you built the rule correctly, then Suricata should be back up and running.
You can then run
curl http://testmynids.org/uid/index.htmlon the node to generate traffic which should cause this rule to alert (and the original rule that it was copied from, if it is enabled).
Default YARA rules are provided from Florian Roth’s signature-base Github repo at https://github.com/Neo23x0/signature-base.
To add local YARA rules, create a directory in
/opt/so/saltstack/local/salt/strelka/rules, for example
localrules. Inside of
/opt/so/saltstack/local/salt/strelka/rules/localrules, add your YARA rules.
After adding your rules, update the configuration by running
so-strelka-restart on all nodes running Strelka.
salt -G 'role:so-sensor' cmd.run "so-strelka-restart" to restart Strelka on all sensors at once.
Remotely Managed Rules:¶
If you have Internet access and want to have
so-yara-update pull YARA rules from a Github repo, copy
/opt/so/saltstack/local/salt/strelka/rules/, and modify
repos.txt to include the repo URL (one per line).
so-yara-update to pull down the rules. Finally, run
so-strelka-restart to allow Strelka to pull in the new rules.