Skip to content

sep/scirius

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

738 Commits

accounts

accounts

 
 

doc/images

doc/images

 
 

probes

probes

 
 

rules

rules

 
 

scirius

scirius

 
 

suricata

suricata

 
 

tests/robotframework

tests/robotframework

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.rst

README.rst

 
 

manage.py

manage.py

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

Scirius

Introduction

Scirius is a web interface dedicated to Suricata ruleset management. It handles the rules file and update associated files.

suricata update in scirius

Scirius is developed by Stamus Networks and is available under the GNU GPLv3 license.

Installation and setup

Installing Scirius

Scirius is an application written in Django. You can install it like any other Django application.

The following procedure has been tested on Debian Wheezy and Sid and Ubuntu LTS 12.04.

Dependencies

Scirius is using the following Django modules:

  • tables2
  • south
  • bootstrap3
  • requests
  • revproxy

The easy way to install the dependencies is to use pip:

On Debian, you can run :

aptitude install python-pip python-dev

You can then install django and the dependencies :

pip install -r requirements.txt

To use the suri_reloader script which is handling suricata restart, you will also need pyinotify :

pip install pyinotify

It has been reported that on some Debian system forcing a recent GitPython is required :

pip install gitpython==0.3.1-beta2

You will also potentially needs the gitdb module :

pip install gitdb

Running Scirius

Get the source, then inside the source :

python manage.py syncdb

Authentication is by default in scirius so you will need to create a superuser account when proposed.

One of the easiest way to try Scirius is to run the Django test server :

python manage.py runserver

You can then connect to localhost:8000.

If you need the application to listen to a reachable address, you can run something like :

python manage.py runserver 192.168.1.1:8000

Suricata setup

Scirius is generating one single rules files with all activated rules. When editing the Suricata object, you have to setup the directory where you want this file to be generated and the associated files of the ruleset to be copied.

Scirius won't touch your Suricata configuration file aka suricata.yaml. So you have to update it to point to the directory where data are setup by Scirius. If you are only using rules generated by Scirius, you should have something looking like in your suricata.yaml file :

default-rule-path: /path/to/rules
rule-files:
 - scirius.rules

To interact with Scirius, you need to detect when /path/to/rules/scirius.reload file are created, initiate a reload or restart of Suricata when it is the case and delete the reload file once this is done.

One possible way to do that is to use suri_reloader available in suricata/scripts directory. The syntax of suri_reloader can be something similar to :

suri_reloader -p /path/to/rules  -l /var/log/suri-reload.log  -D

Use -h option to get the complete list of options. Please note that suri_reloaded uses the service command to restart or reload Suricata. This means you need a init script to get it working.

Link with Elasticsearch

If you are using Suricata with Eve logging and Elasticsearch, you can get information about signatures displayed in the page showing information about Suricata:

elasticsearch info in scirius

You can also get graph and details about a specific rule:

rule info in scirius

To setup Elasticsearch connection, you can edit settings.py or create a local_settings.py file under scirius directory to setup the feature. Elasticsearch is activated if a variable names USE_ELASTICSEARCH is set to True in settings.py. The address of the Elasticsearch is stored in the ELASTICSEARCH_ADDRESS variable and uses the format IP:port.

For example, if your Elasticsearch is running locally, you can add to local_settings.py :

USE_ELASTICSEARCH = True
ELASTICSEARCH_ADDRESS = "127.0.0.1:9200"

Please note, that the name of the Suricata (set during edition of the object) must be equal to the host key present in Elasticsearch events.

Link with Kibana

If you are using Kibana, it is possible to get links to your dashboards by clicking the top left icon:

kibana dropdown menu

To activate the feature, you need to edit your local_settings.py file: :

KIBANA_URL = "http://localhost/"
USE_KIBANA = True

Usage

Authentication and permissions

Scirius is using authentication by default. You will need a superuser to be able to create and edit users for scirius. syncdb should have created one for you. If it is not the case, you can run from Scirius base directory :

python manage.py createsuperuser

The base directory is the directory where scirius sources have been extracted. If you are using SELKS this is /opt/selks/scirius.

You will then be able to connect using the provided credentials.

Permissions system is basic:

  • Superuser can edit and create users
  • Staff members can do change on rulesets and suricata

This allows to have three useful levels for users:

  • Read-only: no flag set
  • Staff member: with staff flag set, they can update rulesets and suricata
  • Super user: flags staff and superuser set, they can do anything

Ruleset management

A Ruleset is made of components selected in different Sources. A Source is a set of files providing information to Suricata. For example, this can EmergingThreats ruleset.

To create a ruleset, you thus must create a set of Sources and then link them to the ruleset. Once this is done, you can select which elements of the source you want to use. For example, in the case of a signature ruleset, you can select which categories you want to use and which individual signature you want do disable.

Once a Ruleset is defined, you can attach it to your Suricata. To do that simply edit the Suricata object and choose the Ruleset in the list.

Creating Source

To create a Source go to Sources -> Add (Add being in the Actions menu in the sidebar). Then set the different fields and click Submit.

A source of datatype Signatures files in tar archive has to follow some rules:

  • It must be a tar archive
  • All files must be under a rules directory

For example, if you want to fetch ETOpen Ruleset for Suricata 2.0.1, you can use:

A source of datatype Individual signature files has to be a single file containing signatures.

For example, if you want to use SSL blacklist from abuse.ch, you can use:

Updating Source

To update a Source, you first need to select it. To do that, go to Sources then select the wanted Source in the array.

You can then click on Update in the menu in the sidebar. This step can take long as it can require some download and heavy parsing.

Once updated, you can browse the result by following links in the array.

Creating Ruleset

To create a Ruleset go to Ruleset -> Add (Add being in the Actions menu in the sidebar). Then set the name of the Ruleset and choose which Sources to use and click Submit.

Updating Ruleset

To update a Ruleset, you first need to select it. To do that, go to Ruleset then select the wanted Ruleset in the array.

You can then click on Update in the Action menu in the sidebar. This step can take long as it can require download of different Sources and heavy parsing.

Editing Ruleset

To edit a Ruleset, you first need to select it. To do that, go to Ruleset then select the wanted Ruleset in the array.

You can then click on Edit in the Action menu in the sidebar.

There is now different operations available in the Action menu

  • Edit sources: select which sources of signatures to use in the Ruleset
  • Edit categories: select which categories of signatures to use in the Ruleset
  • Add rule to suppressed list: if a rule is in this list then it will not be part of the generated Ruleset
  • Remove rule from suppressed list: this remove a rule from the previously mentioned list thus reenabling it in the Ruleset

Edit Sources

To select which Sources to use, just select them via the checkbox and click on Update sources. Please note that selecting categories to enable is the next step in the process when you add a new source.

Edit Categories

To select which Categories to use, just select them via the checkbox and click on Update categories.

Add rule to suppressed list

Use the search field to find the rule(s) you want to remove, you can use the SID or any other element in the signature. Scirius will search the entered text in the definition of signature and return you the list of rules. You will then be able to remove them by clicking on the check boxes and clicking on Add selected rules to suppressed list.

Remove rule from suppressed list

To remove rules from suppressed list, simply check them in the array and click on Remove select rules from suppressed list.

Thresholding

Suricata features one thresholding system. It allows to change the behavior of a given alert. There is currently two different operations supported by Scirius:

  • Suppress: suppress alert for a signature when IP source or IP destination is in a defined range
  • Threshold: limit the number of alert for a signature by specifying a number of alert for a time range or a minimum of alerts in a time range before alerting

Both operations can be accessed via a rule page. Clicking on a arrow down in the Source or Destination IP table will open a page where it is possible to add a Threshold. By clicking on the cross, a Suppress operation can be added.

The list of Threshold and Suppress for a rule can be seen from the Rules info tab.

Threshold and Suppress are bound to a Ruleset. You can see all the defined ones from the Ruleset page.

To suppress or edit a Threshold or a Suppress, simply click on the displayed ID. Then select Edit or Delete in the left menu.

Updating Suricata ruleset

To update Suricata ruleset, you can go to Suricata -> Update (Update being in the Actions menu). Then you have to select which action you want to do:

  • Update: download latest version of the Sources used by the Ruleset
  • Build: build a Suricata ruleset based on current version of the Sources
  • Push: trigger a Suricata reload to have it running with latest build ruleset

You can also update the ruleset and trigger a Suricata reload by running :

python manage.py updatesuricata

Backup

To start a backup, run :

python manage.py scbackup

To restore a backup and erase all your data, you can run :

python manage.py screstore
python manage.py migrate

This will restore the latest backup. To choose another backup, indicate a backup filename as first argument. To get list of available backup, use :

python manage.py listbackups

You can not restore a backup to a scirius which is older than the one where the backup has been done.

With default configuration file, the backup is done on disk in /var/backups but other methods are available. As Scirius is using django-dbbackup application for backup and restore procedures, it benefits from all available methods in this application. This includes at least:

  • FTP
  • Amazon AWS
  • Dropbox

Please see django-dbbackup configuration for more information on available methods and on their configuration.

About

Scirius is a web application for Suricata ruleset management.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

14 watching

Forks

0 forks
Report repository

Releases

25 tags

Packages

No packages published

Languages

  • JavaScript 46.2%
  • Python 37.5%
  • HTML 10.8%
  • RobotFramework 3.8%
  • CSS 1.7%