Up
Previous Next

Sheriff CSM™

Customize Sheriff NIDS Rules

Occasionally you may want to customize the Sheriff NIDS rules or enable a rule that is disabled by default, so that the detection works better in your network. This section describes how to accomplish both.

Important: The steps below have been written for the Sheriff CSM All-in-One.

If running the Sheriff CSM Server and Sheriff CSM Sensor separately, you must perform step #1 through #7, step #9, and step #10 on each Sensor. You must perform step #8 on the Sheriff CSM Server, after copying the local.rules file from the Sensor to the Server. This is because the database only exists on the Server.

To customize the Sheriff NIDS rule(s)

1. Identify the rule(s) you want to enable.

2. Connect to the Sheriff Console through SSH and use your credentials to log in. The Sheriff Setup menu displays.

3. On the Sheriff Setup main menu, select Jailbreak System to gain command line access.Select Yes when prompted. You will be in the root directory.

4. Place the rule you want to enable into /etc/suricata/rules/local.rules and save your changes. One way to do this is to copy the rule(s) from the original rule file and paste it into local.rules, making sure to remove the "#" at the beginning of the line.

   The following example performs these tasks in a Linux one-liner

   # cat /etc/suricata/rules/emerging_pro-policy.rules | grep 2009294 | cut -d'#' -f2 >> /etc/suricata/rules/local.rules

   In this command, grep is used to search for the unique ID of a disabled Credit Card Policy Rule, copy it from /etc/suricata/rules/emerging_pro-policy.rules, remove the "#" at the beginning of the line (using cut), and paste it to /etc/suricata/rules/local.rules.

   Open local.rules to confirm that the rule was copied correctly

   # cat /etc/suricata/rules/local.rules
   alert ip any any > any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009294; classtype:policy-violation; sid:2009294; rev:1;)

   Note: To ensure that the rule doesn't conflict with existing rules, you should use a SID between 5,000,000 and 5,999,999.

5. Repeat the command for all the rules you want to enable.

6. Modify the rule(s) if needed and save your changes.

7. Using a command line text editor of your choice, add a reference to local.rules at the bottom of /etc/suricata/rule-files.yaml

   %YAML 1.1
   ---
   default-rule-path: /etc/suricata/rules
   rule-files:
   - emerging_pro-activex.rules
   - emerging_pro-attack_response.rules
   - emerging_pro-chat.rules
   [...]
   - suricata-smtp-events.rules
   - suricata-stream-events.rules
   - local.rules

8. Run the following script to import the rules to the database

   perl /usr/share/vigilante/scripts/create_sidmap.pl /etc/suricata/rules

9. Restart the Sheriff NIDS service for your changes to take effect

   #service suricata restart

10. Restart the Sheriff Agent service to digest the changes

    #service vigilante-agent restart

Warning: If you are using Sheriff CSM version 5.3.3 or earlier, running threat intelligence or plugin feed updates will overwrite any changes you made to the local.rules file. To avoid this issue, upgrade to Sheriff CSM version 5.3.4 or later.

Sheriff Vigilante Limitations: Both Sheriff Vigilante and the Sheriff CSM HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that Sheriff CSM and Sheriff Vigilante provide. However, Sheriff Vigilante lacks the depth of NIDS information that is provided to Sheriff CSM through the Threat Intelligence Updates.