The CloudShark Threat Assessment addon is installed with an initial set of the Emerging Threats Open rules. By default these rules are never updated after the initial installation of the addon. Customers with the Threat Assessment addon may have rules that they have developed or purchased themselves that can be used with CloudShark.
Configuration files
CloudShark uses the configuration files in /usr/cloudshark/etc/suricata/ to
determine the rules and variable settings used during a threat assessment.
Suricata is used behind the scenes to generate
threats based on the traffic in the capture file.
Rule variables
The file suricata-vars.yaml can be modified to configure the variables which
are used in rules. Here is a link describing the Suricata configuration for
this:
Rule files
The file suricata-rules.yaml can be modified to point Suricata to files
containing the rules. Here is a link describing the Suricata configuration for
rule files:
The default-rule-path: setting should not be changed and must be set to
/usr/cloudshark/etc/suricata/rules/ for threat assessment to work properly.
Reloading
After changing either of these configurations Suricata will have to be reloaded
to use the new variables and rules files. Here is a command that can be run as
the cloudshark user to reload Suricata:
cd /var/www/cloudshark/current && bin/run "sc = SuricataConnection.new;sc.send_reload_command"
Caching
CloudShark runs the capture through Suricata once and then caches the result
which gets returned on subsequent requests without rerunning the capture
through Suricata. The cache can be invalidated by updating the last modified
date of the file /usr/cloudshark/etc/suricata/RULES-VERSION. This can be done
using the command touch /usr/cloudshark/etc/suricata/RULES-VERSION. Then
when a users requests a threat assessment the capture will be rerun using any
new rules or configuration changes to Suricata.
Examples
Updating the ET Open rules
Here is an example script that can be used to pull down the latest Emerging Threats Open ruleset nightly and restart CloudShark to use these rules:
#!/bin/bash
DATE=$(date +%Y-%m-%d)
VERSION="Alerts provided by Emerging Threats ${DATE}"
# Download and extract Pro rules
curl -s https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz| tar -xz -C /usr/cloudshark/etc/suricata/
# Echo version
echo ${VERSION} > /usr/cloudshark/etc/suricata/RULES-VERSION
# Restart suricata
cd /var/www/cloudshark/current && bin/run "sc = SuricataConnection.new;sc.send_reload_command"
Updating the ET Pro rules
If you have purchased the Emerging Threats Pro ruleset here is a script where you can paste your provided OINK code to download your rules:
#!/bin/bash
SURICATA_VERSION="4.0.0"
OINK_CODE="<PASTE OINK CODE>"
DATE=$(date +%Y-%m-%d)
VERSION="Alerts provided by Emerging Threats ${DATE}"
# Download and extract Pro rules
curl https://rules.emergingthreatspro.com/${OINK_CODE}/suricata-${SURICATA_VERSION}/etpro.rules.tar.gz | tar -xz -C /usr/cloudshark/etc/suricata/
# Echo version
echo ${VERSION} > /usr/cloudshark/etc/suricata/RULES-VERSION
# Restart suricata
cd /var/www/cloudshark/current && bin/run "sc = SuricataConnection.new;sc.send_reload_command"
Updating nightly
You can run your update script to pull down the new rules and this can be added
to cron to update your rules on a schedule. If your update script is saved as
/home/cloudshark/update_rules.sh then running crontab -e will
open up the crontab for editing. Adding the following line
will call the /home/cloudshark/update_rules.sh each night at 4:00 AM:
0 16 * * * /home/cloudshark/update_rules.sh