Adding suricata rules to the rules folder

[joelmjennings]

This is a standalone Malcolm instance on single platform running all the components local. We are in a SCADA environment so there is no internet connection. SURICATA_UPDATE_RULES is set to false. I have set SURICATA_CUSTOM_RULES_ONLY to both true and false. ~/suricata/rules/*.rules was manually populated with a recent download from https://rules.emergingthreats.net/open/suricata/rules/ only the *.rules files were added. I restart the system with start and stop from the scripts directory.

Suricata does trigger on generic tcp alerts. The signatures dashboard is empty, it shows zero or no results found.

What is the process to update suricata rules on an offline host?

[mmguero]

Just taking off for the evening, but I'll be back in the morning and look through this with you!

[joelmjennings]

I am available for any suggestions, I can try them and quickly post the results.

[mmguero]

Okay, first thing's first, let's make sure that the suricata.yaml got generated correctly for those rules files:

Run this command and make sure that the bottom of that yaml file looks something like this (basically that after rule-files you see the .rules files you expected).

$ docker compose exec -u $(id -u) suricata cat /etc/suricata/suricata.yaml
...
rule-files:
- /opt/suricata/rules/3coresec.rules
- /opt/suricata/rules/botcc.portgrouped.rules
- /opt/suricata/rules/botcc.rules
- /opt/suricata/rules/ciarmy.rules
- /opt/suricata/rules/compromised.rules
- /opt/suricata/rules/drop.rules
- /opt/suricata/rules/dshield.rules
- /opt/suricata/rules/emerging-activex.rules
- /opt/suricata/rules/emerging-adware_pup.rules
- /opt/suricata/rules/emerging-attack_response.rules
- /opt/suricata/rules/emerging-chat.rules
- /opt/suricata/rules/emerging-coinminer.rules
- /opt/suricata/rules/emerging-current_events.rules
- /opt/suricata/rules/emerging-deleted.rules
- /opt/suricata/rules/emerging-dns.rules
- /opt/suricata/rules/emerging-dos.rules
- /opt/suricata/rules/emerging-exploit.rules
- /opt/suricata/rules/emerging-exploit_kit.rules
- /opt/suricata/rules/emerging-ftp.rules
- /opt/suricata/rules/emerging-games.rules
- /opt/suricata/rules/emerging-hunting.rules
- /opt/suricata/rules/emerging-icmp.rules
- /opt/suricata/rules/emerging-icmp_info.rules
- /opt/suricata/rules/emerging-imap.rules
- /opt/suricata/rules/emerging-inappropriate.rules
- /opt/suricata/rules/emerging-info.rules
- /opt/suricata/rules/emerging-ja3.rules
- /opt/suricata/rules/emerging-malware.rules
- /opt/suricata/rules/emerging-misc.rules
- /opt/suricata/rules/emerging-mobile_malware.rules
- /opt/suricata/rules/emerging-netbios.rules
- /opt/suricata/rules/emerging-p2p.rules
- /opt/suricata/rules/emerging-phishing.rules
- /opt/suricata/rules/emerging-policy.rules
- /opt/suricata/rules/emerging-pop3.rules
- /opt/suricata/rules/emerging-retired.rules
- /opt/suricata/rules/emerging-rpc.rules
- /opt/suricata/rules/emerging-scada.rules
- /opt/suricata/rules/emerging-scan.rules
- /opt/suricata/rules/emerging-shellcode.rules
- /opt/suricata/rules/emerging-smtp.rules
- /opt/suricata/rules/emerging-snmp.rules
- /opt/suricata/rules/emerging-sql.rules
- /opt/suricata/rules/emerging-telnet.rules
- /opt/suricata/rules/emerging-tftp.rules
- /opt/suricata/rules/emerging-user_agents.rules
- /opt/suricata/rules/emerging-voip.rules
- /opt/suricata/rules/emerging-web_client.rules
- /opt/suricata/rules/emerging-web_server.rules
- /opt/suricata/rules/emerging-web_specific_apps.rules
- /opt/suricata/rules/emerging-worm.rules
- /opt/suricata/rules/threatview_CS_c2.rules
- /opt/suricata/rules/tor.rules

For live capture, run the same command replacing suricata with suricata-live to run the command on that container.

You can also run ./scripts/status -s suricata suricata-live to look at the debug output of those containers.

If nothing looks amiss, then the question is "are we even seeing traffic that would trigger these rules?" I reproduced what you said you've done, and then I uploaded a bunch of PCAP (Cyberville.pcap, this and this PCAP set, this scenario) and got these results in the suricata dashboard for Alerts - Name:

Name,Count
"ET POLICY Possible Kali Linux hostname in DHCP Request Packet",7
"ET JA3 Hash - [Abuse.ch] Possible Troldesh Ransomware",6
"ET INFO HTTP Request to a *.ga domain",4
"ET POLICY TLS possible TOR SSL traffic",3
"ET POLICY Outdated Flash Version M1",1
"ET POLICY myip.ru IP lookup",1

And these for Alert Category:

[joelmjennings]

The debug commands help a lot. Thank you. I do appear to be loading the same lists. I am going to run a scenario like you suggested and try to trigger some alerts. I am also going to write a custom rules file and see if it shows up on list.

[joelmjennings]

I was able to follow up with manual load of pcaps. Suricata alerts were generated. Thanks again for the help.