SELKS | scirius | threshold – suppress – pass

Hi folks!

SELKS is great stuff.
Read the manual. ;)
You can suppress alerts via web interface (and maybe desktop), but there are some limitations:
1. A suppress rule allows filterin either by source address OR by target address.
2. You can not import a bulk of suppress rules into a fresh installation.

The good news is that there is hope and a workaround:
Suricata includes a mechanism called ‘pass rules’ that drops events prior to alert detection.
Follow these steps:

1. create file containing a line like:

 pass ip any  any any (msg:"pass all traffic from/to"; sid:1;)

ATTENTION: The sid should be unique in your system. To check for existing sid’s do

 # cat /etc/suricata/rules/scirius.rules | grep -v -e '^#' -e '^\s*$' | grep 'sid:' | sed 's|.*sid:||' | sed 's|;.*||' | sort -u

Select you a ‘name space’ for your own use to not interfere with public stuff.

2. Open the Adminstration page. Goto ‘Sources’. ‘Add custom source’. Checkbox the rulesets in whom your pass rules should be active. (A pass ruleset interferes only with alerts inside of a specific ruleset.)

3. Open ‘Rulesets’. ‘Edit’ a ruleset. ‘Edit categories’. Your pass ruleset should be checked.

4. DO (!!) (AS USER www-data [!!!] AND NEVER AS ROOT)

 # /bin/sh -c /bin/bash 'cd /usr/share/python/scirius/ && . bin/activate && python bin/ updatesuricata && deactivate' www-data

5. Check /etc/suricata/rules/scirius.rules for your pass rules. Check the bottom. :)

6. Tuning the pass rule
Create a pass rule straight from the alert syntax you wanna pass. Remove some parameters like classtype, reference. Give a unique sid according to YOUR self chosen name space.
ATTENTION: Hash commented lines will be resitered as ‘DISABLED’. That means that the sid inside commented lines should be also unique.
ATTENTION2: You can’t simply overwrite a formerly registered sid. YOU HAVE TO INCREASE THE REVISION! Otherwise your changes will be ignored.

7. Formerly commented/disabled and now enabled rules in your home grown rules file will appear as disabled in the Web GUI until you enable them right there.

6. Pass rule hint:
For sharp filter results check the corresponding alert and get his parameters.
Change the SID.
Remove the category.

7. There are some issues with updating the rules: Delete your pass ruleset and add it again, using another name. Do ‘Administration’ + ‘Suricata’ + ‘Ruleset action’ + select all checkboxes + run