Scirius is a web interface dedicated to Suricata ruleset management. It handles the rules file and update associated files.
Scirius is developed by Stamus Networks and is available under the GNU GPLv3 license.
Scirius is an application written in Django. You can install it like any other Django application.
The following procedure has been tested on Debian Wheezy and Sid and Ubuntu LTS 12.04.
Scirius is using the following Django modules:
- tables2
- south
- bootstrap3
- requests
- revproxy
The easy way to install the dependencies is to use pip:
On Debian, you can run
aptitude install python-pip python-dev
You can then install django and the dependencies
pip install -r requirements.txt
To use the suri_reloader script which is handling suricata restart, you will also need pyinotify
pip install pyinotify
It has been reported that on some Debian system forcing a recent GitPython is required
pip install gitpython==0.3.1-beta2
You will also potentially needs the gitdb module
pip install gitdb
Get the source, then inside the source
python manage.py syncdb
Authentication is by default in scirius so you will need to create a superuser account when proposed.
One of the easiest way to try Scirius is to run the Django test server
python manage.py runserver
You can then connect to localhost:8000.
If you need the application to listen to a reachable address, you can run something like
python manage.py runserver 192.168.1.1:8000
Scirius is generating one single rules files with all activated rules. When editing the Suricata object, you have to setup the directory where you want this file to be generated and the associated files of the ruleset to be copied.
Scirius won't touch your Suricata configuration file aka suricata.yaml. So you have
to update it to point to the directory where data are setup by Scirius. If you are
only using rules generated by Scirius, you should have something looking like in
your suricata.yaml file
default-rule-path: /path/to/rules rule-files: - scirius.rules
To interact with Scirius, you need to detect when /path/to/rules/scirius.reload file
are created, initiate a reload or restart of Suricata when it is the case and delete the
reload file once this is done.
One possible way to do that is to use suri_reloader available in suricata/scripts
directory. The syntax of suri_reloader can be something similar to
suri_reloader -p /path/to/rules -l /var/log/suri-reload.log -D
Use -h option to get the complete list of options. Please note that suri_reloaded
uses the service command to restart or reload Suricata. This means you need a init
script to get it working.
If you are using Suricata with Eve logging and Elasticsearch, you can get information about signatures displayed in the page showing information about Suricata:
You can also get graph and details about a specific rule:
To setup Elasticsearch connection, you can edit settings.py or create a
local_settings.py file under scirius directory to setup the feature.
Elasticsearch is activated if a variable names USE_ELASTICSEARCH is set
to True in settings.py. The address of the Elasticsearch is stored in the
ELASTICSEARCH_ADDRESS variable and uses the format IP:port.
For example, if your Elasticsearch is running locally, you can add
to local_settings.py
USE_ELASTICSEARCH = True ELASTICSEARCH_ADDRESS = "127.0.0.1:9200"
Please note, that the name of the Suricata (set during edition of the object) must
be equal to the host key present in Elasticsearch events.
If you are using Kibana, it is possible to get links to your dashboards by clicking the top left icon:
To activate the feature, you need to edit your local_settings.py file:
KIBANA_URL = "http://localhost/" USE_KIBANA = True
Scirius is using authentication by default. You will need a superuser to be able to
create and edit users for scirius. syncdb should have created one for you. If it is not
the case, you can run from Scirius base directory
python manage.py createsuperuser
The base directory is the directory where scirius sources have been extracted. If
you are using SELKS this is /opt/selks/scirius.
You will then be able to connect using the provided credentials.
Permissions system is basic:
- Superuser can edit and create users
- Staff members can do change on rulesets and suricata
This allows to have three useful levels for users:
- Read-only: no flag set
- Staff member: with staff flag set, they can update rulesets and suricata
- Super user: flags staff and superuser set, they can do anything
A Ruleset is made of components selected in different Sources. A Source is a set of files providing information to Suricata. For example, this can EmergingThreats ruleset.
To create a ruleset, you thus must create a set of Sources and then link them to the ruleset. Once this is done, you can select which elements of the source you want to use. For example, in the case of a signature ruleset, you can select which categories you want to use and which individual signature you want do disable.
Once a Ruleset is defined, you can attach it to your Suricata. To do that simply edit the Suricata object and choose the Ruleset in the list.
To create a Source go to Sources -> Add (Add being in the
Actions menu in the sidebar). Then set the different fields and click Submit.
A source of datatype Signatures files in tar archive has to follow some rules:
- It must be a tar archive
- All files must be under a
rulesdirectory
For example, if you want to fetch ETOpen Ruleset for Suricata 2.0.1, you can use:
- Name: ETOpen Ruleset
- URI: https://rules.emergingthreats.net/open/suricata-2.0.1/emerging.rules.tar.gz
A source of datatype Individual signature files has to be a single file containing
signatures.
For example, if you want to use SSL blacklist from abuse.ch, you can use:
- Name: SSLBL abuse.ch
- URI: https://sslbl.abuse.ch/blacklist/sslblacklist.rules
To update a Source, you first need to select it. To do that, go to Sources then
select the wanted Source in the array.
You can then click on Update in the menu in the sidebar. This step can take long
as it can require some download and heavy parsing.
Once updated, you can browse the result by following links in the array.
To create a Ruleset go to Ruleset -> Add (Add being in the
Actions menu in the sidebar). Then set the name of the Ruleset
and choose which Sources to use and click Submit.
To update a Ruleset, you first need to select it. To do that, go to Ruleset then
select the wanted Ruleset in the array.
You can then click on Update in the Action menu in the sidebar. This step can take long
as it can require download of different Sources and heavy parsing.
To edit a Ruleset, you first need to select it. To do that, go to Ruleset then
select the wanted Ruleset in the array.
You can then click on Edit in the Action menu in the sidebar.
There is now different operations available in the Action menu
- Edit sources: select which sources of signatures to use in the Ruleset
- Edit categories: select which categories of signatures to use in the Ruleset
- Add rule to suppressed list: if a rule is in this list then it will not be part of the generated Ruleset
- Remove rule from suppressed list: this remove a rule from the previously mentioned list thus reenabling it in the Ruleset
To select which Sources to use, just select them via the checkbox and click on Update sources. Please
note that selecting categories to enable is the next step in the process when you add a new source.
To select which Categories to use, just select them via the checkbox and click on Update categories.
Use the search field to find the rule(s) you want to remove, you can use the SID or any other element in the signature. Scirius will search the entered text in the definition of signature and return you the list of rules.
You will then be able to remove them by clicking on the check boxes and clicking on Add selected rules to suppressed list.
To remove rules from suppressed list, simply check them in the array and click on Remove select rules from suppressed list.
To update Suricata ruleset, you can go to Suricata -> Update (Update being in the
Actions menu). Then you have to select which action you want to do:
- Update: download latest version of the Sources used by the Ruleset
- Build: build a Suricata ruleset based on current version of the Sources
- Push: trigger a Suricata reload to have it running with latest build ruleset
You can also update the ruleset and trigger a Suricata reload by running
python manage.py updatesuricata