How to add local rules and not break Scirius? about scirius HOT 11 CLOSED

Hi,
If you want rules to be displayed in scirius you have scirius to know them.
So you need to upload them via scirius. To do so add a source and choose single rule file and upload.

Le 22 juil. 2015 8:02 AM, Bugs [email protected] a écrit :Hi,

I have created a simple test rule in /etc/suricata/rules/local.rules and added "- local-rules" under "-scirius.rules" in suricata.yaml

The content of /etc/suricata/rules/local.rules is:
alert icmp any any -> any any (msg:"ICMP Test"; classtype:policy-violation; sid:10000001; rev:1;)

It means any pings will generate an alert.
I did a sudo "service suricata restart"
pinged google.com
and I can see alerts in SELKS dashboard OK, (and in fast.log).

The problem is with Scirius.
Problem 1:
If I go to "Suricata" in Scirius I cannot see the alert in "rules activity"

Problem 2:
I can actually see the alert in the pie chart/circle summary of Scirius (how do you call that?! :)
but if I click on it then I am getting the following error, instead of loading the rule:

Page not found (404)
Request Method: GET
Request URL: https://192.168.0.5/rules/rule/pk/10000001/

So I suspect the way I have added my local rule is not the right way? or that I have missed a step so that Scirius can deal with local rules?

Thanks.
B.

—Reply to this email directly or view it on GitHub.

from scirius.

Thanks Regit, I did just that. But for this to work I need to do 2x things which I think is a bit odd.

1. I need to add the rules as you mentioned in Scirius by adding a source through uploading a file
2. I also need to have the same rule defined in local.rules

If I don't do 1) then Scirius doesn't see the rule
if I don't do 2) then Suricata doesn't process the alert! and it only sees past hit/occurence of the SID

I would have thought just doing 1) should have been enough...
Is that a normal behaviour or a bug?

from scirius.

You should also not forget to update. From Suricata menu, then click on "update".

from scirius.

yes on @pevma remark. And you should also:

• add the source to the running ruleset
• activate the categorie in the ruleset
  Then
• update suricata

from scirius.

Thanks Regit and Pevma. It works indeed!
I am just wondering, where is the rule file once you upload it in Scirius? I am also guessing that if you want to add new rules you need to remove the source from the GUI and upload an updated rule file with your new rules and follow the same process. In which case do you have to remove the source, update in GUI, upload new source and update?

In case someone is reading this thread, the complete process to add new rules through Scirius is to:

1. Go to Sources -> Add
2. Give it a name, Method = Upload, Datatype = Individual Signature File
3. File -> Choose file -> Select your local rule file (local to the computer you are running your browser from)
4. Submit
5. Go to Rulesets -> Click on Default SELKS ruleset -> Edit (menu on the left)
6. Click Edit Sources -> Select the ruleset you have just uploaded -> Update Sources
7. Click Edit Categories -> At the bottom, select your new ruleset -> Update Categories
8. Go to Suricata -> Click Update
9. Select all action (might just need to select update but just in case) -> Click apply

Et voila.

Note to developpers... might be nice to have a slightly simpler workflow ;)
If I may, I would suggest you bundle step 4, 5, 6 and 7
and then inform the user twhat has just been done (added a source and categories, with a list of the rules added) and if they still want to go ahead then let them know to do step 8
B.

from scirius.

I've just updated code with db2cd94 to simplify the procedure. You can now simply select rulesets on "Add a source" form. If you do that then all categories of the new source are added to the ruleset.

from scirius.

By the way on point 9. of previous procedure, you mainly need the build and push steps to construct a new ruleset and reload suricata config.

from scirius.

Thanks!

from scirius.

Hello!
I've read the topic. But what about the another ruleset? Not default one. I made it and named Custom ruleset. I assigned new source to this ruleset and activated category. Then updated, built and pushed in Suricata. No result and no my custom rules in /etc/suricata/rules/scirius.rules.

from scirius.

@VN1977 - could you please open a diff issue.
I am not sure if i understand correctly - you created and uploaded some custom rules but they do not appear anywhere?

from scirius.

It's OK.
I had a mistake with a rule.

from scirius.