CloudShark Support

Threat Assessment Rules

The CloudShark Threat Assessment addon is installed with an initial set of the Emerging Threats Open rules. By default these rules are never updated after the initial installation of the addon. Customers with the Threat Assessment addon may have rules that they have developed or purchased themselves that can be used with CloudShark.

Configuration files

CloudShark uses the configuration files in /usr/cloudshark/etc/suricata/ to determine the rules and variable settings used during a threat assessment. Suricata is used behind the scenes to generate threats based on the traffic in the capture file.

Rule variables

The file suricata-vars.yaml can be modified to configure the variables which are used in rules. Here is a link describing the Suricata configuration for this:

Suricata Rule-vars

Rule files

The file suricata-rules.yaml can be modified to point Suricata to files containing the rules. Here is a link describing the Suricata configuration for rule files:

Suricata Rule-files

The default-rule-path: setting should not be changed and must be set to /usr/cloudshark/etc/suricata/rules/ for threat assessment to work properly.

Reloading

After changing either of these configurations Suricata will have to be reloaded to use the new variables and rules files. Here is a command that can be run as the cloudshark user to reload Suricata:

cd /var/www/cloudshark/current && bin/run "sc = SuricataConnection.new;sc.send_reload_command"

Caching

CloudShark runs the capture through Suricata once and then caches the result which gets returned on subsequent requests without rerunning the capture through Suricata. The cache can be invalidated by updating the last modified date of the file /usr/cloudshark/etc/suricata/RULES-VERSION. This can be done using the command touch /usr/cloudshark/etc/suricata/RULES-VERSION. Then when a users requests a threat assessment the capture will be rerun using any new rules or configuration changes to Suricata.

Examples

Updating the ET Open rules

Here is an example script that can be used to pull down the latest Emerging Threats Open ruleset nightly and restart CloudShark to use these rules:

#!/bin/bash

DATE=$(date +%Y-%m-%d)
VERSION="Alerts provided by Emerging Threats ${DATE}"

# Download and extract Pro rules
curl -s https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz| tar -xz -C /usr/cloudshark/etc/suricata/

# Echo version
echo ${VERSION} > /usr/cloudshark/etc/suricata/RULES-VERSION

# Restart suricata
cd /var/www/cloudshark/current && bin/run "sc = SuricataConnection.new;sc.send_reload_command"

Updating the ET Pro rules

If you have purchased the Emerging Threats Pro ruleset here is a script where you can paste your provided OINK code to download your rules:

#!/bin/bash

SURICATA_VERSION="4.0.0"
OINK_CODE="<PASTE OINK CODE>"

DATE=$(date +%Y-%m-%d)
VERSION="Alerts provided by Emerging Threats ${DATE}"

# Download and extract Pro rules
curl https://rules.emergingthreatspro.com/${OINK_CODE}/suricata-${SURICATA_VERSION}/etpro.rules.tar.gz | tar -xz -C /usr/cloudshark/etc/suricata/

# Echo version
echo ${VERSION} > /usr/cloudshark/etc/suricata/RULES-VERSION

# Restart suricata
cd /var/www/cloudshark/current && bin/run "sc = SuricataConnection.new;sc.send_reload_command"

Updating nightly

You can run your update script to pull down the new rules and this can be added to cron to update your rules on a schedule. If your update script is saved as /home/cloudshark/update_rules.sh then running crontab -e will open up the crontab for editing. Adding the following line will call the /home/cloudshark/update_rules.sh each night at 4:00 AM:

0 16 * * * /home/cloudshark/update_rules.sh

About CloudShark

CloudShark is made by QA Cafe, a technology company based in Portsmouth, NH. Our passion for packet captures has grown out of our other product CDRouter.

Get in touch via our Contact us page or by following us on your favorite service: