NIDS

NIDS (Network Intrusion Detection System) rules are loaded into Suricata to monitor network traffic for suspicious or noteworthy activity. Active NIDS rules generate alerts that can be found in Alerts.

Managing Existing NIDS Rules

You can manage existing NIDS rules using Detections. There are two ways to do so:

  • From the main Detections interface, you can search for the desired detection and click the binoculars icon.

  • From the Alerts interface, you can click an alert and then click the Tune Detection menu item.

Once you’ve used one of these methods to reach the detection detail page, you can check the Status field in the upper-right corner and use the slider to enable or disable the detection.

_images/60_detection_nids.png

To tune the detection:

  • click the TUNING tab

  • click the blue + button

  • select the type of tuning (Modify, Suppress, or Threshold)

  • fill out the requested values

  • click the CREATE button

_images/60_detection_nids_2_tuning_2_add.png

Enabling and Disabling with Regex

Starting in Security Onion 2.4.90, NIDS rules can now be enabled or disabled in Detections using regex patterns. Navigate to SOC Administration - Configuration and filter for regex, then drill down into soc –> config –> server –> modules –> suricataengine –> disableRegex or enableRegex.

The regex flavor is Google RE2: https://github.com/google/re2/wiki/Syntax

In ETOPEN, categories are prepended to the rule name. For example, the ET EXPLOIT PHP-Live-Chat Get Shell Attempt Inbound rule is in the ET EXPLOIT category. So suppose you want to disable the ET EXPLOIT and ET MALWARE categories but NOT the ET EXPLOIT_KIT category. You would use the following regex patterns:

ET EXPLOIT\s
ET MALWARE\s

The \s is a shortcut for whitespace and is useful in this situation to make sure we are only matching the specific categories that we want to disable.

If a detection would be matched by both an enable and disable regex, it is enabled. If a detection’s status is changed via the Detections interface but it is currently matched by a regex pattern, the change initiated from the Detections interface is reverted and a message is shown.

Enable and disable operations that are based on regex patterns are actioned during the daily rule update. If you have made a change to the regex patterns and would like to have it implemented more immediately:

  • Under Grid Configuration, click the SYNCHRONIZE GRID button and wait about 5 minutes for it to complete.

  • Navigate to Detections, click the Options menu, select Suricata in the dropdown menu, click the FULL UPDATE button, and then wait for it to complete.

  • Refresh the Detections page and you should see the relevant rule statuses have changed.

Adding New NIDS Rules

To add a new NIDS rule, go to the main Detections page and click the blue + button between Options and the query bar. A form will appear where you will:

  • click the Language drop-down and select Suricata

  • optionally specify a license

  • add the signature

  • click the CREATE button and the detection should deploy to your grid at the next 15-minute cycle

_images/59_detection_create.png

Update Frequency

By default, Security Onion checks for new NIDS rules every 24 hours. You can change this value as follows:

  • Navigate to Administration –> Configuration.

  • At the top of the page, click the Options menu and then enable the Show advanced settings option.

  • Navigate to soc –> config –> server –> modules –> suricataengine –> communityRulesImportFrequencySeconds.

Allow External Access to NIDS Rules

Starting in Security Onion 2.4.110, you can enable external access to NIDS rules managed by Detections. This is useful when configuring OPNsense or other network devices to pull NIDS rules from your Security Onion deployment. You can do this as follows:

  • Navigate to Administration –> Configuration.

  • At the top of the page, click the Options menu and then enable the Show advanced settings option.

  • Navigate to nginx –> config –> external_suricata.

  • On the right side of the page, change the value to true and then click the checkmark to save the new setting.

  • You can wait for the next grid update or click the SYNCHRONIZE GRID button under Options.

  • Once the grid is fully synchronized, the manager should listen on port 7789 for https connections from hosts defined in the external_suricata host group.

Changing to a Different Ruleset

Security Onion includes the Emerging Threats Open (ETOPEN) ruleset by default. If you would like to change to a different ruleset, you can do this via Administration –> Configuration –> idstools –> config –> ruleset.

_images/config-item-idstools.png

Security Onion offers the following choices for NIDS rulesets. The main options are ETOPEN (free) and ETPRO (commercial) but advanced users may choose a Snort ruleset if they understand the caveats as shown below.

ETOPEN

  • default ruleset included in Security Onion

  • optimized for Suricata

  • free

For more information, see:

ETPRO

  • includes ETOPEN and additional rules

  • optimized for Suricata

  • rules retrievable as released

  • license fee per sensor (you are responsible for purchasing enough licenses for your entire deployment)

Snort Community

  • NOT optimized for Suricata

  • community-contributed rules

  • free

Snort Registered

  • NOT optimized for Suricata

  • Snort SO (Shared Object) rules do NOT work with Suricata

  • same rules as Snort Subscriber ruleset, except rules only retrievable after 30 days past release

  • free

Since Shared Object rules won’t work with Suricata, you may want to disable them using a regex like 're:soid [0-9]+'.

Snort Subscriber (Talos)

  • NOT optimized for Suricata

  • Snort SO (Shared Object) rules do NOT work with Suricata

  • rules retrievable as released

  • license fee per sensor (you are responsible for purchasing enough licenses for your entire deployment)

Since Shared Object rules won’t work with Suricata, you may want to disable them using a regex like 're:soid [0-9]+'.

Other

  • not officially managed/supported by Security Onion

  • license fee may or may not apply

If you would like to add custom rulesets, then you can do this with a configuration setting. In Security Onion Console (SOC), navigate to Administration –> Configuration. At the top of the page, click the Options menu and then enable the Show advanced settings option. Then filter for customRulesets and drilldown on the left side.

Custom rulesets can be added either via URL or a local file placed on the Manager.

For URLs, the format is:

{"community":true,"license":"GPLv2","ruleset":"snort-community","target-file":"community.rules","url":"https://www.snort.org/downloads/community/community-rules.tar.gz"}

Here’s what each option means:

  • community: Required, true or false. This disables some management options for the imported rules - they can’t be deleted or edited, just tuned, duplicated, and Enabled | Disabled.

  • license: Required, the license this ruleset falls under.

  • ruleset: Required, the ruleset name or identifier.

  • target-file: Required, the name of the file that contains the rules, once it is downloaded. The file extension must be .rules.

  • url: Required, the URL that the rules should be downloaded from.

For local files, the format is:

{"community":true,"license":"DRL1.1","file":"/nsm/rules/detect-suricata/custom_file/SOS-Custom_suricata.rules","ruleset":"SOS-Custom"}

file: This is the path for the local rules file, which must be in the /nsm/rules/detect-suricata/custom_file/ directory.

The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by navigating to Detections –> Options dropdown menu –> Suricata –> Full Update.