Difference between revisions of "Suricata: Manajemen Rule dengan Oinkmaster"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 5: | Line 5: | ||
To install Oinkmaster, enter: | To install Oinkmaster, enter: | ||
− | sudo apt-get install oinkmaster | + | sudo apt-get install oinkmaster |
There are several rulesets. There is for example Emerging Threats (ET) Emerging Threats Pro and VRT. | There are several rulesets. There is for example Emerging Threats (ET) Emerging Threats Pro and VRT. | ||
Line 12: | Line 12: | ||
Oinkmaster has to know where the rules an be found. These rules can be found at: | Oinkmaster has to know where the rules an be found. These rules can be found at: | ||
− | http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz | + | http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz |
open oinkmaster.conf to add this link by entering: | open oinkmaster.conf to add this link by entering: | ||
− | sudo nano /etc/oinkmaster.conf | + | sudo nano /etc/oinkmaster.conf |
Place a # in front of the url that is already there and add the new url like this: | Place a # in front of the url that is already there and add the new url like this: | ||
Line 24: | Line 24: | ||
The next step is to create a directory for the new rules. Enter: | The next step is to create a directory for the new rules. Enter: | ||
− | sudo mkdir /etc/suricata/rules | + | sudo mkdir /etc/suricata/rules |
Next enter: | Next enter: | ||
− | cd /etc | + | cd /etc |
− | sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules | + | sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules |
In the new rules directory a classification.config and a reference.config can be found. The directories of both have to be added in the suricata.yaml file. Do so by entering: | In the new rules directory a classification.config and a reference.config can be found. The directories of both have to be added in the suricata.yaml file. Do so by entering: | ||
− | sudo nano /etc/suricata/suricata.yaml | + | sudo nano /etc/suricata/suricata.yaml |
And add the new file locations instead of the file locations already present, like this: | And add the new file locations instead of the file locations already present, like this: | ||
Line 39: | Line 39: | ||
To see if everything works as pleased, run Suricata: | To see if everything works as pleased, run Suricata: | ||
− | suricata -c /etc/suricata/suricata.yaml -i wlan0 (or eth0) | + | suricata -c /etc/suricata/suricata.yaml -i wlan0 (or eth0) |
You will notice there are several rule-files Suricata tries to load, but are not available. It is possible to disable those rule-sets in suricata.yaml by deleting them or by putting a # in front of them. | You will notice there are several rule-files Suricata tries to load, but are not available. It is possible to disable those rule-sets in suricata.yaml by deleting them or by putting a # in front of them. | ||
Line 46: | Line 46: | ||
Emerging Threats contains more rules than loaded in Suricata. To see which rules are available in your rules directory, enter: | Emerging Threats contains more rules than loaded in Suricata. To see which rules are available in your rules directory, enter: | ||
− | ls /etc/suricata/rules/*.rules | + | ls /etc/suricata/rules/*.rules |
Find those that are not yet present in suricata.yaml and add them in yaml if desired. | Find those that are not yet present in suricata.yaml and add them in yaml if desired. | ||
Line 52: | Line 52: | ||
You can do so by entering : | You can do so by entering : | ||
− | sudo nano /etc/suricata/suricata.yaml | + | sudo nano /etc/suricata/suricata.yaml |
If you disable a rule in your rule file by putting a # in front of it, it will be enabled again the next time you run Oinkmaster. You can disable it through Oinkmaster instead, by entering the following: | If you disable a rule in your rule file by putting a # in front of it, it will be enabled again the next time you run Oinkmaster. You can disable it through Oinkmaster instead, by entering the following: | ||
− | cd /etc/suricata/rules | + | cd /etc/suricata/rules |
and find the sid of the rule(s) you want to disable. | and find the sid of the rule(s) you want to disable. | ||
Line 62: | Line 62: | ||
Subsequently enter: | Subsequently enter: | ||
− | sudo nano /etc/oinkmaster.conf | + | sudo nano /etc/oinkmaster.conf |
and go all the way to the end of the file. | and go all the way to the end of the file. | ||
Type there: | Type there: | ||
− | disablesid 2010495 | + | disablesid 2010495 |
Instead of 2010495, type the sid of the rule you would like to disable. It is also possible to disable multiple rules, by entering their sids separated by a comma. | Instead of 2010495, type the sid of the rule you would like to disable. It is also possible to disable multiple rules, by entering their sids separated by a comma. | ||
Line 74: | Line 74: | ||
You can also enable rules that are disabled by default. Do so by entering: | You can also enable rules that are disabled by default. Do so by entering: | ||
− | ls /etc/suricata/rules | + | ls /etc/suricata/rules |
In this directory you can see several rule-sets | In this directory you can see several rule-sets | ||
Enter for example: | Enter for example: | ||
− | sudo nano /etc/suricata/rules/emerging-malware.rules | + | sudo nano /etc/suricata/rules/emerging-malware.rules |
In this file you can see which rules are enabled en which are not. | In this file you can see which rules are enabled en which are not. | ||
Line 85: | Line 85: | ||
Instead, look up the sid of the rule you want to enable. Place the sid in the correct place of oinkmaster.config: | Instead, look up the sid of the rule you want to enable. Place the sid in the correct place of oinkmaster.config: | ||
− | sudo nano /etc/oinkmaster.conf | + | sudo nano /etc/oinkmaster.conf |
do so by typing: | do so by typing: | ||
− | enablesid: 2010495 | + | enablesid: 2010495 |
Instead of 2010495, type the sid of the rule you would like to to enable. It is also possible to enable multiple rules, by entering their sids separated by a comma. | Instead of 2010495, type the sid of the rule you would like to to enable. It is also possible to enable multiple rules, by entering their sids separated by a comma. | ||
Line 95: | Line 95: | ||
In oinkmaster.conf you can modify rules. For example, if you use Suricata as inline/IPS and you want to modify a rule that sends an alert when it matches and you would like the rule to drop the packet instead, you can do so by entering the following: | In oinkmaster.conf you can modify rules. For example, if you use Suricata as inline/IPS and you want to modify a rule that sends an alert when it matches and you would like the rule to drop the packet instead, you can do so by entering the following: | ||
− | sudo nano oinkmaster.conf | + | sudo nano oinkmaster.conf |
At the part where you can modify rules, type: | At the part where you can modify rules, type: | ||
− | modifysid 2010495 “alert” | “drop” | + | modifysid 2010495 “alert” | “drop” |
The sid 2010495 is an example. Type the sid of the rule you desire to change, instead. | The sid 2010495 is an example. Type the sid of the rule you desire to change, instead. | ||
Line 108: | Line 108: | ||
If you have already downloaded a ruleset (in the way described in this file), and you would like to update the rules, enter: | If you have already downloaded a ruleset (in the way described in this file), and you would like to update the rules, enter: | ||
− | sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules | + | sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules |
It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated weekly or multiple times a week. | It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated weekly or multiple times a week. |
Revision as of 10:43, 30 March 2020
Rule Management with Oinkmaster
It is possible to download and install rules manually, but there is a much easier and quicker way to do so. There are special programs which you can use for downloading and installing rules. There is for example Pulled Pork and Oinkmaster. In this documentation the use of Oinkmaster will be described.
To install Oinkmaster, enter:
sudo apt-get install oinkmaster
There are several rulesets. There is for example Emerging Threats (ET) Emerging Threats Pro and VRT. In this example we are using Emerging Threats.
Oinkmaster has to know where the rules an be found. These rules can be found at:
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
open oinkmaster.conf to add this link by entering:
sudo nano /etc/oinkmaster.conf
Place a # in front of the url that is already there and add the new url like this:
(Close oinkmaster.conf by pressing ctrl x, followed by y and enter. )
The next step is to create a directory for the new rules. Enter:
sudo mkdir /etc/suricata/rules
Next enter:
cd /etc sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
In the new rules directory a classification.config and a reference.config can be found. The directories of both have to be added in the suricata.yaml file. Do so by entering:
sudo nano /etc/suricata/suricata.yaml
And add the new file locations instead of the file locations already present, like this:
To see if everything works as pleased, run Suricata:
suricata -c /etc/suricata/suricata.yaml -i wlan0 (or eth0)
You will notice there are several rule-files Suricata tries to load, but are not available. It is possible to disable those rule-sets in suricata.yaml by deleting them or by putting a # in front of them. To stop Suricata from running, press ctrl c.
Emerging Threats contains more rules than loaded in Suricata. To see which rules are available in your rules directory, enter:
ls /etc/suricata/rules/*.rules
Find those that are not yet present in suricata.yaml and add them in yaml if desired.
You can do so by entering :
sudo nano /etc/suricata/suricata.yaml
If you disable a rule in your rule file by putting a # in front of it, it will be enabled again the next time you run Oinkmaster. You can disable it through Oinkmaster instead, by entering the following:
cd /etc/suricata/rules
and find the sid of the rule(s) you want to disable.
Subsequently enter:
sudo nano /etc/oinkmaster.conf
and go all the way to the end of the file. Type there:
disablesid 2010495
Instead of 2010495, type the sid of the rule you would like to disable. It is also possible to disable multiple rules, by entering their sids separated by a comma.
If you run Oinkmaster again, you can see the amount of rules you have disabled. You can also enable rules that are disabled by default. Do so by entering:
ls /etc/suricata/rules
In this directory you can see several rule-sets Enter for example:
sudo nano /etc/suricata/rules/emerging-malware.rules
In this file you can see which rules are enabled en which are not. You can not enable them for the long-term just by simply removing the #. Because each time you will run Oinkmaster, the rule will be disabled again. Instead, look up the sid of the rule you want to enable. Place the sid in the correct place of oinkmaster.config:
sudo nano /etc/oinkmaster.conf
do so by typing:
enablesid: 2010495
Instead of 2010495, type the sid of the rule you would like to to enable. It is also possible to enable multiple rules, by entering their sids separated by a comma.
In oinkmaster.conf you can modify rules. For example, if you use Suricata as inline/IPS and you want to modify a rule that sends an alert when it matches and you would like the rule to drop the packet instead, you can do so by entering the following:
sudo nano oinkmaster.conf
At the part where you can modify rules, type:
modifysid 2010495 “alert” | “drop”
The sid 2010495 is an example. Type the sid of the rule you desire to change, instead.
Rerun Oinkmaster to notice the change. Updating your rules
If you have already downloaded a ruleset (in the way described in this file), and you would like to update the rules, enter:
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated weekly or multiple times a week.