Changing Suricata "Threshold SIDS List"

[ejgh-oe]

Version

2.4.90

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

10

RAM

32

Storage for /

500GB

Storage for /nsm

500GB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,
To weed out fals positives I've written quite some threshold-rules for suricata over time. In previous releases they got configured via Configuraion > suricata > thresholding > SIDS.

In one of the most recent releases this became R/O:

My questions:

• Are my previous suppress rules still in place and working?
• How can I change existing suppress rules? For example I'd like to change the rule for SID 2001219 (see screenshot above). When I enter the new config via the Detections interface isn't there a conflict between what's been there previously (now displayed as R/O) and my new configuration settings?
• Is there any way for a "mass entry" for suppress rules, or is the Detections Interface (GUI) the only method. (Don't get me wrong: the Detections Interface is perfect for adding/tuning single rules, but when you've got a lot of fine tuned detections that were built over time it would be easier to get them installed in one swoop as opposed to entering them separately via the GUI)
• In the config-settings under suricata > config > threshold-file there's a reference to a file /etc/suricata/threshold.conf - but that file isn't anywhere in the filesystem
  
  What's this file all about?

Thanks much in advance for you help.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

That location is in the container. Your threshold.conf file is at /opt/so/conf/suricata/threshold.conf. Do you see any of your previous configurations in there?

[ejgh-oe]

That location is in the container. Your threshold.conf file is at /opt/so/conf/suricata/threshold.conf. Do you see any of your previous configurations in there?

Unfortunately this file isn't even there, nor is the directory that should contain that file:

[root@onion-master conf]# pwd
/opt/so/conf
[root@onion-master conf]# ls suricata
ls: cannot access 'suricata': No such file or directory
[root@onion-master conf]#

I even did a find / -name threshold.conf - no such file found in the entire filesystem.

[cm-ops]

It would be on your sensor node, check there.

[ejgh-oe]

It would be on your sensor node, check there.

Thanks for the hint - yes, it's on the sensor node and contains all mods I originally made.

So how should I proceed from there in order to make bulk modifications to suppress/threshold rules?

[cm-ops]

Through Detections is the recommended way to tune. How many rules are you looking to suppress/threshold? What do you have in /opt/so/saltstack/local/salt/suricata/thresholding/sids.yaml? The threshold.conf gets populated from that file.

[ejgh-oe]

Through Detections is the recommended way to tune. How many rules are you looking to suppress/threshold?

27 altogether

What do you have in /opt/so/saltstack/local/salt/suricata/thresholding/sids.yaml? The threshold.conf gets populated from that file.

Just took a look at /opt/so/saltstack/local/salt/suricata/thresholding/sids.yaml - it holds all the mods I made in the exact same format I entered them originally.

So from what you've written above it seems like I should go ahead and I re-enter these 27 rules via the Detections interface again? Should I remove the file /opt/so/saltstack/local/salt/suricata/thresholding/sids.yaml beforehand or will some builtin magic ;-) take care of possible duplicates?

[cm-ops]

Are you previous thresholds working still? If not, enter them in Detections, they will get added to the bottom of sids.yaml, then remove the older ones at the top from the file.

[ejgh-oe]

Are you previous thresholds working still?

Yes, they are working without any problems so far.

If not, enter them in Detections, they will get added to the bottom of sids.yaml, then remove the older ones at the top from the file.

The problem is that I have no way of deleting/changing these old entries when I need to, since they don't appear in the detections interface.

So "trying to read between the lines" ;-) do you suggest I re-enter all the threshold/suppress clauses in that file via the Detections interface? With 20+ custom settings this will take some time but shouldn't be a problem after all.

I'll go ahead and give it a try and report back here.

[ejgh-oe]

So "trying to read between the lines" ;-) do you suggest I re-enter all the threshold/suppress clauses in that file via the Detections interface? With 20+ custom settings this will take some time but shouldn't be a problem after all.

I'll go ahead and give it a try and report back here.

TL;DR;
Entering all custom suppress rules via the Detections interface worked without any problems.

I started out emptying the sids.yaml file in order to not have any custom suppress rules in place. As expected the previously suppressed SIDs generated alerts so I went from the Alert interface -> Detections and re-built my custom suppress rules via the GUI. Having a history in the Detections interface is something that comes in very handy, esp. if you're tuning detections over time :-)

Having everything running smooth again I'll set this thread to solved/answered. Thanks to you all for your help.