7.3.1. SIGFLOW engine rule sources

7.3.1.1. Introduction

The rules and their organization are described in the paragraph Organizing the rules.
The configuration interface is described in the `Config - sigflow/rulesets` screen of the legacy web UI.

A source is broken down as follows:

  • Detection rules are found in categories

  • Categories are found in sources

  • Sources are in rulesets

Note

Categories are not mandatory. They enable improved organisation of the source.

This procedure describes:

  • Managing the existing sources

  • Managing the categories and rules made available in the sources

  • Adding public or customized sources

Note

Sources should be added to a Ruleset that will then be made available to the GCap.

For

go to

Visualise existing sources

Procedure to view the existing sources

Add a public source

Procedure to add a public source

Add a custom source

Procedure to add a custom source

Delete a source

Procedure to delete a source

Edit a source

Procedure to edit a source

Update a source

Procedure to update a source

This configuration interface is described in Web UI `Assets` screen.


7.3.1.2. Prerequisites

  • User : member of Operator group


7.3.1.3. Preliminary operations


7.3.1.4. Procedure to view the existing sources

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Sources` button of the `Sigflow` menu.
    The `Sources` windows is displayed.
    ../../_images/SOURCES-01.PNG
    From the source management interface, the available sources are displayed (7).
    The following types of information are displayed:
    • The name of the source (CTI, ETPRO, LastInfoSec...)

    • The date and time of the last update

    • The number of categories and signatures

Note

It is possible to add a MISP source.
For this, contact the administrator.

7.3.1.5. Procedure to add a public source

  • Preliminary step:

The GCenter must be connected to the Internet.
This is done in the GCenter configuration (PROXY parameter): in case of doubt refer to the administrator.
  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Sources` button of the `Sigflow` menu.
    The `Sources` windows is displayed.
    ../../_images/SOURCES-01.PNG
  • Click on the `Add public source` link (4)
    The “Sources” window is displayed.
    ../../_images/SOURCES-03.PNG
    The window displays the list of available sources (2) when connecting to the Internet.
    If the Internet connection is not active then an error message is displayed.
  • Activate the desired public source (for example mark 3) by clicking on the button (4) Enable.
    The ` source and/open` window is displayed.
    ../../_images/SOURCES-04.PNG
  • Change source name (1) if needed.

Note

The name is also the file name so only alphanumeric characters, underscore, slash and dot can be used. However, spaces and commas should not be used.

  • Add the source to the default ruleset (2) if needed.

  • Add a comment (3) if needed.

  • Enter the source editor token if necessary.

  • Validate the entry by clicking on the (4) `Submit` button or cancel with the (5) `Cancel` button.
    The message `Source fully activated` is displayed.
    The message `Source updated` is displayed.
    The `Source is valid` message is displayed.
    A link is active to display the details of this new source.
    This new source has been added to the Sources screen.
    ../../_images/SOURCES-05.PNG

7.3.1.6. Procedure to add a custom source

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Sources` button of the `Sigflow` menu.
    The `Sources` windows is displayed.
    ../../_images/SOURCES-01.PNG

    Two methods are possible:

    • Method 1: HTTP URL or

    • Method 2: Upload

  • Method 1: HTTP URL
    From the source management interface:
  • Click on the `Add custom source` link (5)

  • Enter a name for the added source

  • Choose the `HTTP URL` method

  • Choose the file format of the added rules: TAR archive (Signatures files in tar archive) or plain text file (Individual Signatures file)

  • Enter the URL of the target file on the remote HTTP server

  • Tick the ruleset in which to add the source - multiple ticks are possible

  • If necessary, add a comment (optional)

  • Click on the `Submit` button.

  • Method 2: Upload
    From the source management interface:
  • Click on the `Add custom source` link

  • Enter a name for the added source

  • Choose the `Upload` method

  • Choose the file format of the added rules: TAR archive (Signatures files in tar archive) or plain text file (Individual Signatures file)

  • Tick the ruleset in which to add the source - multiple ticks are possible

  • Choose the rules file to be added

  • If necessary, add a comment (optional)

  • Click on the `Submit` button.

Checks are made, for example:

  • for example, the message `Error during source update: Invalid URL 'toto.com': No scheme supplied. Perhaps you meant http://toto.com?`

  • for example, the message `Invalid filename` indicates that the source name format is not a file name

Note

The rule files in the TAR archive enable creating categories within the source. The sub-folders in the archive will be the future source categories.


7.3.1.7. Procedure to delete a source

  • From the navigation bar, click successively on:

  • The `Config` button

  • The `Sources` button of the `Sigflow` menu.
    The `Sources` windows is displayed.
    ../../_images/SOURCES-05.PNG
  • Click on the three vertical points of the source to be deleted (1).

  • Click on the `Delete source` command.
    A message `Are you sure you want to delete object ***?` is displayed.
  • If necessary, add a comment (optional).

  • Click on the `Delete object` button.

Or

  • Click on the `View` button of the desired source

  • Click on the `Delete` link, in the list of actions on the left
    A message `Are you sure you want to delete object ***?` is displayed.
  • If necessary, add a comment (optional)

  • Click on the `Delete object` button.


7.3.1.8. Procedure to edit a source

  • From the navigation bar, click successively on:

  • The `Config` button

  • The `Sources` button of the `Sigflow` menu.
    The `Sources` windows is displayed.
    ../../_images/SOURCES-01.PNG
  • Click on the `View` button (9) of the desired source.
    The following window is displayed.
    ../../_images/SOURCES-02.PNG
  • Click on `Edit` (6)

  • Change the desired parameters: method, file type, public source, and rules file

  • Add a comment if necessary - optional

  • Click on the `Submit` button.


7.3.1.9. Procedure to update a source

Note

Updating sources via this procedure only applies to customized or public sources.
The update is performed if the rules file of the remote server or editor has been itself updated.
  • From the navigation bar, click successively on:

  • The `Config` button

  • The `Sources` button of the `Sigflow` menu.

../../_images/SOURCES-01.PNG
  • Click on the `View` button (9) of the desired source.
    The following window is displayed.
    ../../_images/SOURCES-02.PNG
  • Click on `Update` (7)
    The following screen is displayed.
    ../../_images/SOURCES-06.PNG

    The window shows:

    • The summary (1)

    • History (2)

    It is possible to click on a changelog to view the content.