Suricata rules management

Corelight-update uses the familiar disable, enable, and modify.conf files to process and manage Suricata rules. However, Corelight-update offers significant performance and functionality improvements compared to other solutions.

Once all the rules from all the sources are downloaded and merged, Corelight-update makes up to three passes processing the rules:

  1. The first pass will process Corelight recommended modifications (if enabled).

  2. The second pass will process global modifications.

  3. The third pass will process the individual policy modifications.

For each pass, any disable rule filters (disable.conf entries) are processed, then the enable rule filters (enable.conf entries), followed by rule modifiers (modify.conf entries).

File filters

In addition to disabling individual rules, the disable.conf entries can be used to ignore entire rulesets by file name. Filters are used to identify and ignore ruleset files as they are copied to the working directory for processing. After the files are downloaded and uncompressed (as necessary), if a ruleset filename matches an entry in disable.conf, it is ignored.

# Examples of disabling by file name.
Filename:emerging-icmp.rules
Filename:emerging-dos
Filename:emerging
group:emerging-icmp.rules
group:emerging-dos
group:emerging

Important

The Filename filter matches all file names that begin with the entry.

Rule filters

To disable a rule that is enabled by default, add the rule to the disable.conf file. To enable a rule that is disabled by default, add the rule to the enable.conf file.

There are multiple methods to identify rules to be disable or enabled. One method, rule filters can be added by listing the Signature ID <SID> or Generator ID:Signature ID combination <GID>:<SID>.

# GID:SID
<sid>
<gid>:<sid>

Another method is to use regex. Rule filters that use a regex pattern will be applied to rules that match that pattern.

Note

Regex patterns must be wrapped in double quotes or have any white space removed. Use a \s to represent white space.

Special characters also have to be escaped, for example, use \$ for $.

# Regex
re:<regex string>

# Match all rules that begin with "alert udp $HOME_NET any -> any 53"
re:alert\sudp\s\$HOME_NET\sany\s->\sany\s53
re:"alert udp \$HOME_NET any -> any 53"

A method unique to Corelight-update, rule filters can also be added individually or in groups with Field:Value pairs. Use any of these fields to identify the rule:

# Field:Value
Protocol:<value>
SrcAddress:<value>
SrcPort:<value>
DestAddress:<value>
DestPort:<value>
Classtype:<value>
Metadata:<contains value>

When using the Metadata field to identify a rule, if there are any white spaces in the string to look for, it must be wrapped in double quotes.

Rule modifiers

To modify a Suricata rule, identifying the rule is the same as rule filters, with the exception that multiple rules can also be identified with GID:SID pairs. Multiple GID:SID entries on the same line need to be comma separated.

Rules can be identified and modified one of four ways:

  • The legacy format: <gid:sid> "<from regex>" "<to string>" (The gid is optional.)

  • The legacy regex format: re:<rule regex> "<from regex>" "<to string>"

  • The new Corelight-update regex format: re:<rule regex> <field>:<value>

  • The new Corelight-update format: <rule> <field>:<value>

Tip

See the Suricata documentation for more information about Suricata rules format.

Legacy format and Legacy regex format

The legacy and legacy regex formats require the <from regex> and <to string> statements to be enclosed in double quotes, and separated with a space "<from regex>" "<to string>". The " " between the expressions delineates the two.

With the legacy format, the rule identifier is a combination of one or more GID:SID combinations. With the legacy regex format, the rule identifier is a regex pattern re:<rule regex>. For example,

# Legacy format
<sid> "<from regex>" "<to string>"
<gid>:<sid> "<from regex>" "<to string>"
<sid>,<gid>:<sid>,<gid>:<sid> "<from regex>" "<to string>"
<sid>,<sid>,<sid>,<sid> "<from regex>" "<to string>"

# Legacy regex format
re:<rule regex> "<from regex>" "<to string>"

Caution

Regex patterns used to identify the rule must be wrapped in double quotes or have any white space removed. Use a \s to represent white space.

Corelight-update regex format

The Corelight-update regex format can use a regex pattern to identify the rule or rules to be modified, and then use the new Field:Value method to modify the rule.

In the Field:Value pair, values can be enclosed in double quotes but are not required (unless double quotes are required in that signature field i.e. “Msg”)

re:<regex string> <field>:<value>

# Match all rules that begin with "alert udp $HOME_NET any -> any 53"
# and change the "Classtype" to "misc-attack"
re:alert\sudp\s\$HOME_NET\sany\s->\sany\s53 Classtype:misc-attack

Once the rule is identified, it can be modified by listing the field and the value it should be set to. (See Modify examples)

New Modify Options for v1.3.0

New in Corelight-update v1.3.0, content can now be appended to the “Metadata” and “Other” fields with MetadataAppend and OtherAppend respectively. If the “Append” field name is used, any content in the “Value” section will be appended with a space between the existing content and the new content.

# Any of the following fields can be modified:
Protocol
SrcAddress
SrcPort
DestAddress
DestPort
Msg
SID
GID
Rev
Classtype
Metadata
MetadataAppend # Any content added with "MetadataAppend" will be appended to the existing content.
Threshold
Priority
Target

# All other Option fields have to be modified as a single string with field "Other"
Other   i.e. Other:reference:url,blacklist.3coresec.net/lists/et-open.txt;
OtherAppend # Any content added with "OtherAppend" will be appended to the existing content.

Corelight-update format

The same as above, in the Field:Value pair, values can be enclosed in double quotes but are not required (unless double quotes are required in that signature field i.e. “Msg”)

Any of these fields can be used to identify the rule:

# GID:SID
<sid>
<gid>:<sid>
<sid>,<gid>:<sid>,<gid>:<sid>
<sid>,<sid>,<sid>,<sid>

# Field:Value
Protocol:<value>
SrcAddress:<value>
SrcPort:<value>
DestAddress:<value>
DestPort:<value>
Classtype:<value>
Metadata:<value contains>  # The value contains is a string in the metadata field used to identify the rule.

Once the rule is identified, the same fields listed for Corelight-update regex format (listed above) can be modified by listing the field and the value.