Scirius Community Edition is a web interface dedicated to Suricata ruleset management. It handles the rules file and update associated files.
Scirius CE is developed by Stamus Networks and is available under the GNU GPLv3 license.
Scirius CE is an application written in Django. You can install it like any other Django application.
The following procedure has been tested on Debian Wheezy and Sid and Ubuntu LTS 12.04.
Scirius CE is using the following Django modules:
- tables2
- south
- bootstrap3
- requests
- revproxy
The easy way to install the dependencies is to use pip:
On Debian, you can run
aptitude install python-pip python-dev
You can then install django and the dependencies
pip install -r requirements.txt
To use the suri_reloader script which is handling suricata restart, you will also need pyinotify
pip install pyinotify
It has been reported that on some Debian system forcing a recent GitPython is required
pip install gitpython==0.3.1-beta2
You will also potentially needs the gitdb module
pip install gitdb
Get the source, then inside the source
python manage.py syncdb
Authentication is by default in scirius so you will need to create a superuser account when proposed.
One of the easiest way to try Scirius CE is to run the Django test server
python manage.py runserver
You can then connect to localhost:8000
.
If you need the application to listen to a reachable address, you can run something like
python manage.py runserver 192.168.1.1:8000
Scirius CE is generating one single rules files with all activated rules. When editing the Suricata object, you have to setup the directory where you want this file to be generated and the associated files of the ruleset to be copied.
Scirius CE won't touch your Suricata configuration file aka suricata.yaml
. So you have
to update it to point to the directory where data are setup by Scirius CE. If you are
only using rules generated by Scirius CE, you should have something looking like in
your suricata.yaml
file
default-rule-path: /path/to/rules rule-files: - scirius.rules
To interact with Scirius CE, you need to detect when /path/to/rules/scirius.reload
file
are created, initiate a reload or restart of Suricata when it is the case and delete the
reload file once this is done.
One possible way to do that is to use suri_reloader
available in suricata/scripts
directory. The syntax of suri_reloader
can be something similar to
suri_reloader -p /path/to/rules -l /var/log/suri-reload.log -D
Use -h
option to get the complete list of options. Please note that suri_reloaded
uses the service
command to restart or reload Suricata. This means you need a init
script to get it working.
If you are using Suricata with Eve logging and Elasticsearch, you can get information about signatures displayed in the page showing information about Suricata:
You can also get graph and details about a specific rule:
To setup Elasticsearch connection, you can edit settings.py
or create a
local_settings.py
file under scirius
directory to setup the feature.
Elasticsearch is activated if a variable names USE_ELASTICSEARCH
is set
to True in settings.py
. The address of the Elasticsearch is stored in the
ELASTICSEARCH_ADDRESS
variable and uses the format IP:port
.
For example, if your Elasticsearch is running locally, you can add
to local_settings.py
USE_ELASTICSEARCH = True ELASTICSEARCH_ADDRESS = "127.0.0.1:9200" ELASTICSEARCH_VERSION = 2 # In 1, 2, 5 set depending on ES major version
Please note, that the name of the Suricata (set during edition of the object) must
be equal to the host
key present in Elasticsearch events. It can also be edited here: scirius -> suricata -> edit.
On logstash side, the only necessary thing is to make sure that the @timestamp is equal to the timestamp value provided in Suricata events. To do so and if you Suricata events are of type SELKS on can use
filter { if [type] == "SELKS" { date { match => [ "timestamp", "ISO8601" ] } } }
This is necessary to avoid glitch in the graphics generated by Scirius CE.
If you are using Kibana, it is possible to get links to your dashboards by clicking the top left icon:
To activate the feature, you need to edit your local_settings.py file:
KIBANA_URL = "http://localhost/" USE_KIBANA = True
Scirius CE is using authentication by default. You will need a superuser to be able to
create and edit users for scirius. syncdb
should have created one for you. If it is not
the case, you can run from Scirius CE base directory
python manage.py createsuperuser
The base directory is the directory where scirius sources have been extracted. If
you are using SELKS this is /opt/selks/scirius
.
You will then be able to connect using the provided credentials.
Permissions system is basic:
- Superuser can edit and create users
- Staff members can do change on rulesets and suricata
This allows to have three useful levels for users:
- Read-only: no flag set
- Staff member: with staff flag set, they can update rulesets and suricata
- Super user: flags staff and superuser set, they can do anything
All actions done in ruleset management are logged. It is possible to access their history by using `Actions history`_ in the Stamus icon menu.
Optional comment are available for each action to allow users to interact with each other.
A Ruleset is made of components selected in different Sources. A Source is a set of files providing information to Suricata. For example, this can EmergingThreats ruleset.
To create a ruleset, you thus must create a set of Sources and then link them to the ruleset. Once this is done, you can select which elements of the source you want to use. For example, in the case of a signature ruleset, you can select which categories you want to use and which individual signature you want do disable.
Once a Ruleset is defined, you can attach it to your Suricata. To do that simply edit the Suricata object and choose the Ruleset in the list.
To create a Source go to Sources -> Add
(Add
being in the
Actions
menu in the sidebar). Then set the different fields and click Submit
.
A source of datatype Signatures files in tar archive
has to follow some rules:
- It must be a tar archive
- All files must be under a
rules
directory
For example, if you want to fetch ETOpen Ruleset for Suricata 2.0.1, you can use:
- Name: ETOpen Ruleset
- URI: https://rules.emergingthreats.net/open/suricata-2.0.1/emerging.rules.tar.gz
A source of datatype Individual signature files
has to be a single file containing
signatures.
For example, if you want to use SSL blacklist from abuse.ch, you can use:
- Name: SSLBL abuse.ch
- URI: https://sslbl.abuse.ch/blacklist/sslblacklist.rules
To update a Source, you first need to select it. To do that, go to Sources
then
select the wanted Source in the array.
You can then click on Update
in the menu in the sidebar. This step can take long
as it can require some download and heavy parsing.
Once updated, you can browse the result by following links in the array.
To create a Ruleset go to Ruleset -> Add
(Add
being in the
Actions
menu in the sidebar). Then set the name of the Ruleset
and choose which Sources to use and click Submit
.
To update a Ruleset, you first need to select it. To do that, go to Ruleset
then
select the wanted Ruleset in the array.
You can then click on Update
in the Action
menu in the sidebar. This step can take long
as it can require download of different Sources and heavy parsing.
To edit a Ruleset, you first need to select it. To do that, go to Ruleset
then
select the wanted Ruleset in the array.
You can then click on Edit
in the Action
menu in the sidebar.
There is now different operations available in the Action
menu
- Edit sources: select which sources of signatures to use in the Ruleset
- Edit categories: select which categories of signatures to use in the Ruleset
- Add rule to suppressed list: if a rule is in this list then it will not be part of the generated Ruleset
- Remove rule from suppressed list: this remove a rule from the previously mentioned list thus reenabling it in the Ruleset
To select which Sources to use, just select them via the checkbox and click on Update sources
. Please
note that selecting categories to enable is the next step in the process when you add a new source.
To select which Categories to use, just select them via the checkbox and click on Update categories
.
Use the search field to find the rule(s) you want to remove, you can use the SID or any other element in the signature. Scirius CE will search the entered text in the definition of signature and return you the list of rules.
You will then be able to remove them by clicking on the check boxes and clicking on Add selected rules to suppressed list
.
To remove rules from suppressed list, simply check them in the array and click on Remove select rules from suppressed list
.
Suricata features one thresholding system. It allows to change the behavior of a given alert. There is currently two different operations supported by Scirius CE:
- Suppress: suppress alert for a signature when IP source or IP destination is in a defined range
- Threshold: limit the number of alert for a signature by specifying a number of alert for a time range or a minimum of alerts in a time range before alerting
Both operations can be accessed via a rule page. Clicking on a arrow down in the Source or Destination IP table will open a page where it is possible to add a Threshold. By clicking on the cross, a Suppress operation can be added.
The list of Threshold and Suppress for a rule can be seen from the Rules info
tab.
Threshold and Suppress are bound to a Ruleset. You can see all the defined ones from the Ruleset page.
To suppress or edit a Threshold or a Suppress, simply click on the displayed ID. Then select Edit
or Delete
in the left menu.
Rule transformation allows the action of a particular rule to be changed - to drop, reject or filestore. Please note these actions requires advanced knowledge about rules and the rule keywords language.
Once you have a particular rule that you would like to transform - in the rule's details page on the left hand side panel under Actions
click
Transform rule
. You will be presented with a few choices:
Type of transformation to choose form:
drop
- (IPS mode) will convert the rule from alert to drop - aka IPS mode needs to be explicitly set up and configured before hand.reject
- (IDPS/hybrid) will convert the rule from alert to reject meaning that when triggered a RST/or dst unreachable packets will be send to both the src and dst IP.filestore
- will convert those rules only that have protocols allowing for file extraction - for examplealert http...
oralert smtp
Choose a ruleset you wish the newly transformed rule to be added/registered in.
NOTE: A particular rule can be transformed only once.
NOTE: For using the drop
functionality you need to have a valid IPS setup.
After you make the desired selection you can add in a comment for the purpose of accountability and click on Valid
.
You will have the details about the transformed rule in the Information
tab. You can review and confirm the transformation and the ruleset it is add in alongside any comments.
Only rules that are active can be transformed. If a rule is not active in a particular ruleset it will not have the transformation or
suppress/threshold options available on the left hand side panel. To make it active you can toggle the availability of that rule by clicking
on the Toggle availability
option on the left hand side panel menu.
The history tab of the rule details page will have any comments and changes to the transformed rule for traceability.
After the transformation is done the ruleset(s) that contain the new transformed rule need to be pushed to the remote devices in order for the rule to be deployed. That can be accomplished either through a manual or scheduled ruleset push as explained in Updating Suricata ruleset.
To update Suricata ruleset, you can go to Suricata -> Update
(Update
being in the
Actions
menu). Then you have to select which action you want to do:
- Update: download latest version of the Sources used by the Ruleset
- Build: build a Suricata ruleset based on current version of the Sources
- Push: trigger a Suricata reload to have it running with latest build ruleset
You can also update the ruleset and trigger a Suricata reload by running
python manage.py updatesuricata
Suricata can be used in IDS and IPS mode. Traditional sources don't come with ready to use rules for IPS and the user has to setup his IPS ruleset by transforming the rules that he wants to be blocking before loading them info Suricata. The basic transformation is to change the alert keyword to drop. But it is also possible to use the reject method.
Scirius allows you to do these modifications for a complete category or for a single rule. The rule modification has priority so it is possible to remove the transformation from a rule belonging to a category with transformation enable.
As Suricata allows you to store file transferred on alert, it is also possible to add the filestore option to a rule thus enabling you to store on disk file triggering a specific alert.
Once transformations are created, the ruleset will be generated with transformed rules.
To transform a category, you can go to the category page, then in the left
sidebar, click on Transform category
and choose one transformation and the rulesets
to apply it.
These transformations are exclusive: for example it is not possible to drop and filestore at the same time so you need to choose from the list of transformations.
To transform a rule, you can go to the rule page, then in the left
sidebar, click on Transform rule
and choose one transformation and the rulesets
to apply it.
To start a backup, run
python manage.py scbackup
To restore a backup and erase all your data, you can run
python manage.py screstore python manage.py migrate
This will restore the latest backup. To choose another backup, indicate a backup filename as first argument. To get list of available backup, use
python manage.py listbackups
You can not restore a backup to a scirius which is older than the one where the backup has been done.
With default configuration file, the backup is done on disk in /var/backups but other methods are available. As Scirius CE is using django-dbbackup application for backup and restore procedures, it benefits from all available methods in this application. This includes at least:
- FTP
- Amazon AWS
- Dropbox
Please see django-dbbackup configuration for more information on available methods and on their configuration.