6. Ajouter des règles locales

_images/MoteurDeDetectionOFF.png

From 'Adv Config', the administrator accesses the following functionality:

_images/SPDC13.PNG

_images/SPDC14.PNG
_images/SPDC20.PNG

The 'Edit local rules' menu allows local detection rules to be edited, i.e. rules per interface on the GCap probe not voluntarily visible at the GCenter level.

With this version implemented on the TRACKWATCH solution there will be several use cases:

  • Make signatures confidential without GCenter operators being able to see them (notion of 'need to know')

  • Make a modification of the local signatures of the probes in complex cases

  • When the GCenter is entrusted to a third party and the latter cannot handle markers or signatures of a certain level

The administrator will be able to select the interface on which he can locally edit the detection rule file. Note that this menu is only available if the function is activated beforehand on the GCenter (Administrators/GCaps/Profiles/Multitenant by interfaces).

_images/SPDC21.PNG

Editing can be done here on the four probe capture interfaces GCap, 'Mon0', 'Mon1', 'Mon2' ; and 'My3'. Each capture interface has its own file containing the detection rules.

Once in the interface, a copy/paste of the detection rules can be done. A first nano window allows you to add signatures that will generate alerts at the level of the reconstructed stream. There is no limitation in the number of signatures for the interfaces but they must not have the same SID identifier as the other rules already present.

The SID numbering used by our rules is as follows:

  • From 1 to 406

  • From 211000 to 220121

  • From 904200000 to 904200115

  • From 902200000 to 902202690

In addition, "1000000" and "2000000-3000000" are the respective other ranges of SIDs corresponding to CTI and ETPRO. We recommend using different serial numbers (Example: 99XXXXXXX or 4XXXXXX) to be sure to avoid collisions.

A second nano input window appears where it will be possible to add other types of rules in order to limit or suppress certain alerts. There are the Suppress Rules which suppress an alert according to the source or destination IP address, but also the Threshold Rules which limit the number of alerts to be displayed according to 39;one or more networks.

It is therefore possible to have detection rules and thresholds per capture interface.

Press 'OK' to validate the addition of the signatures.

You can do it with the following CLI command :

show config-files [threshold|rules-files|rules-scirius|suricata-config]

set advanced-configuration packet-filtering delete [rule-index|begin-end] confirm

set advanced-configuration local-rules [tenant]