Skip to content

Scirius is a web application for Suricata ruleset management and threat hunting.

License

Notifications You must be signed in to change notification settings

StamusNetworks/scirius

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Scirius

Introduction

Scirius is a web interface dedicated to Suricata ruleset management. It handles the rules file and update associated files.

suricata update in scirius

Scirius is developed by Stamus Networks and is available under the GNU GPLv3 license.

Installation and setup

Installing Scirius

Scirius is an application written in Django. You can install it like any other Django application.

The following procedure has been tested on Debian Wheezy and Sid and Ubuntu LTS 12.04.

Dependencies

Scirius is using the following Django modules:

  • tables2
  • south
  • bootstrap3
  • requests
  • revproxy

The easy way to install the dependencies is to use pip:

On Debian, you can run

aptitude install python-pip python-dev

You can then install django and the dependencies

pip install -r requirements.txt

To use the suri_reloader script which is handling suricata restart, you will also need pyinotify

pip install pyinotify

It has been reported that on some Debian system forcing a recent GitPython is required

pip install gitpython==0.3.1-beta2

You will also potentially needs the gitdb module

pip install gitdb

Running Scirius

Get the source, then inside the source

python manage.py syncdb

Authentication is by default in scirius so you will need to create a superuser account when proposed.

One of the easiest way to try Scirius is to run the Django test server

python manage.py runserver

You can then connect to localhost:8000.

If you need the application to listen to a reachable address, you can run something like

python manage.py runserver 192.168.1.1:8000

Suricata setup

Scirius is generating one single rules files with all activated rules. When editing the Suricata object, you have to setup the directory where you want this file to be generated and the associated files of the ruleset to be copied.

Scirius won't touch your Suricata configuration file aka suricata.yaml. So you have to update it to point to the directory where data are setup by Scirius. If you are only using rules generated by Scirius, you should have something looking like in your suricata.yaml file

default-rule-path: /path/to/rules
rule-files:
 - scirius.rules

To interact with Scirius, you need to detect when /path/to/rules/scirius.reload file are created, initiate a reload or restart of Suricata when it is the case and delete the reload file once this is done.

One possible way to do that is to use suri_reloader available in suricata/scripts directory. The syntax of suri_reloader can be something similar to

suri_reloader -p /path/to/rules  -l /var/log/suri-reload.log  -D

Use -h option to get the complete list of options. Please note that suri_reloaded uses the service command to restart or reload Suricata. This means you need a init script to get it working.

Link with Elasticsearch

If you are using Suricata with Eve logging and Elasticsearch, you can get information about signatures displayed in the page showing information about Suricata:

elasticsearch info in scirius

You can also get graph and details about a specific rule:

rule info in scirius

To setup Elasticsearch connection, you can edit settings.py or create a local_settings.py file under scirius directory to setup the feature. Elasticsearch is activated if a variable names USE_ELASTICSEARCH is set to True in settings.py. The address of the Elasticsearch is stored in the ELASTICSEARCH_ADDRESS variable and uses the format IP:port.

For example, if your Elasticsearch is running locally, you can add to local_settings.py

USE_ELASTICSEARCH = True
ELASTICSEARCH_ADDRESS = "127.0.0.1:9200"

Please note, that the name of the Suricata (set during edition of the object) must be equal to the host key present in Elasticsearch events.

Link with Kibana

If you are using Kibana, it is possible to get links to your dashboards by clicking the top left icon:

kibana dropdown menu

To activate the feature, you need to edit your local_settings.py file:

KIBANA_URL = "http://localhost/"
USE_KIBANA = True

Usage

Authentication and permissions

Scirius is using authentication by default. You will need a superuser to be able to create and edit users for scirius. syncdb should have created one for you. If it is not the case, you can run from Scirius base directory

python manage.py createsuperuser

The base directory is the directory where scirius sources have been extracted. If you are using SELKS this is /opt/selks/scirius.

You will then be able to connect using the provided credentials.

Permissions system is basic:

  • Superuser can edit and create users
  • Staff members can do change on rulesets and suricata

This allows to have three useful levels for users:

  • Read-only: no flag set
  • Staff member: with staff flag set, they can update rulesets and suricata
  • Super user: flags staff and superuser set, they can do anything

Ruleset management

A Ruleset is made of components selected in different Sources. A Source is a set of files providing information to Suricata. For example, this can EmergingThreats ruleset.

To create a ruleset, you thus must create a set of Sources and then link them to the ruleset. Once this is done, you can select which elements of the source you want to use. For example, in the case of a signature ruleset, you can select which categories you want to use and which individual signature you want do disable.

Once a Ruleset is defined, you can attach it to your Suricata. To do that simply edit the Suricata object and choose the Ruleset in the list.

Creating Source

To create a Source go to Sources -> Add (Add being in the Actions menu in the sidebar). Then set the different fields and click Submit.

A source of datatype Signatures files in tar archive has to follow some rules:

  • It must be a tar archive
  • All files must be under a rules directory

For example, if you want to fetch ETOpen Ruleset for Suricata 2.0.1, you can use:

A source of datatype Individual signature files has to be a single file containing signatures.

For example, if you want to use SSL blacklist from abuse.ch, you can use:

Updating Source

To update a Source, you first need to select it. To do that, go to Sources then select the wanted Source in the array.

You can then click on Update in the menu in the sidebar. This step can take long as it can require some download and heavy parsing.

Once updated, you can browse the result by following links in the array.

Creating Ruleset

To create a Ruleset go to Ruleset -> Add (Add being in the Actions menu in the sidebar). Then set the name of the Ruleset and choose which Sources to use and click Submit.

Updating Ruleset

To update a Ruleset, you first need to select it. To do that, go to Ruleset then select the wanted Ruleset in the array.

You can then click on Update in the Action menu in the sidebar. This step can take long as it can require download of different Sources and heavy parsing.

Editing Ruleset

To edit a Ruleset, you first need to select it. To do that, go to Ruleset then select the wanted Ruleset in the array.

You can then click on Edit in the Action menu in the sidebar.

There is now different operations available in the Action menu

  • Edit sources: select which sources of signatures to use in the Ruleset
  • Edit categories: select which categories of signatures to use in the Ruleset
  • Add rule to suppressed list: if a rule is in this list then it will not be part of the generated Ruleset
  • Remove rule from suppressed list: this remove a rule from the previously mentioned list thus reenabling it in the Ruleset

Edit Sources

To select which Sources to use, just select them via the checkbox and click on Update sources. Please note that selecting categories to enable is the next step in the process when you add a new source.

Edit Categories

To select which Categories to use, just select them via the checkbox and click on Update categories.

Add rule to suppressed list

Use the search field to find the rule(s) you want to remove, you can use the SID or any other element in the signature. Scirius will search the entered text in the definition of signature and return you the list of rules. You will then be able to remove them by clicking on the check boxes and clicking on Add selected rules to suppressed list.

Remove rule from suppressed list

To remove rules from suppressed list, simply check them in the array and click on Remove select rules from suppressed list.

Updating Suricata ruleset

To update Suricata ruleset, you can go to Suricata -> Update (Update being in the Actions menu). Then you have to select which action you want to do:

  • Update: download latest version of the Sources used by the Ruleset
  • Build: build a Suricata ruleset based on current version of the Sources
  • Push: trigger a Suricata reload to have it running with latest build ruleset

You can also update the ruleset and trigger a Suricata reload by running

python manage.py updatesuricata