-
Notifications
You must be signed in to change notification settings - Fork 518
Custom local.rules not showing up in kibana NIDS page #1712
Comments
Hi @DranKof , Since your local rules are showing up starting with GID:SID (example: [1:1000008:1]), it sounds like something might be going wrong during rule-update. Are you able to share the full output of that command? |
Sure thing, here's the set of rules I was using before and am using now on both versions, as well as the output from running rule-update again just now. local.rules
rule-update
I'm not 100% sure about this, but I am pretty sure I also recall something else being different that may be a clue: I think I noticed that before when I set alerts, they would show up with the RT in red on the interface on the left in SGUIL (just like the default rule alerts), but in the latest version, when viewing the custom local.rules alerts in SGUIL (which are showing up), they actually show up with RT in yellow like the 'log' entries usually had. (Sorry, I'm not able to see the desktop and my previous screenshots from here to confirm.) |
Have you tried adding classtype to your rules? Example: alert tcp any any -> any 23 (msg:"p23 telnet dst"; classtype:attempted-user; sid:1000001; rev:1;) |
It sounds like the short answer is to make sure that your rules include classtype as that is considered best practice as evidenced by all the major rulesets. Just out of curiosity, when you ran Setup, did you run standard Setup or did you explicitly run sosetup-minimal? Assuming you ran standard Setup, then you should be running the traditional Logstash config where the NIDS alert parser hasn't changed since 3/15/2018, meaning that Logstash should parse NIDS alerts identically from 16.04.4.1 to 16.04.6.3: |
We did some further testing of both 16.04.4.1 and 16.04.6.3 and verified that the Logstash parsing of NIDS alerts is identical. There is a slight difference in Kibana visualizations that was allowing 16.04.4.1 to partially show NIDS alerts even when they weren't parsed properly. We also noticed that in 16.04.6.3, you can actually see the unparsed NIDS alerts on the NIDS dashboard. They won't show up in the visualizations at the top of the page but they should show up in the log panel at the bottom of the page. Again, the best answer for both 16.04.4.1 and 16.04.6.3 is to make sure that your rules have classtype so that the alerts are parsed properly and visualizations display as expected. If you have further questions or problems, please use the mailing list: Thanks! |
Thank you, I tried getting a second machine running this morning but a static shock seems to have broken the hard drive I was using and I wasn't able to finish. Thank you for helping check. In answer to your question earlier, we didn't know there was a so-setup-minimal -- it was the desktop install icon, then the desktop setup icon, then desktop setup icon again using the settings mentioned earlier. Yeah, I don't think there was a change in the parsing as the alerts were updating, were triggering, and were showing up in the total as well as everywhere else, just not on the NIDS summary. But adding the categories is simple enough. We are looking up how to configure the Kibana pages (not in /etc/kibana apparently) so we can see specifically which configs were changed that affected whether categorized alerts were shown. If we have any more questions we will contact the mailing lists. |
Can I suggest that we add a "classtype:misc-attack" to the example rule provided in the "Addition Local Rules" page of the documentation? |
I've updated https://docs.securityonion.net/en/16.04/local-rules.html. If you have further questions or problems, please use the mailing list: Thanks! |
Previously, when performing the exact same experiment on securityonion-16.04.4.1iso install, all custom rules showed up by default on the NIDS page. As for the most recent update (16.04.6.3), there is no clear way to make them show there, you have to click into .
To replicate the issue, here are the steps:
Fresh install of Security Onion 16.04.6.3 ISO to hardware:
Two NICs, one facing management network, one monitoring mirrored port for test network
Setup for Production Mode, pretty much all defaults, suricata
create alert rules for /etc/nsm/local.rules and run rule-update
Log into scapy/msf on kalibox, send a few suspicious packets
Log into Kibana on SO, click on NIDS, and I see that they've all been registered:
But when I look for details on them, all I see are default rules (46/285 alerts):
The only way to see the custom rules is by going down on click on this:
Then all the custom rules are visible, but that was quite buried:
Current workaround:
The best workaround I've found is to navigate to the "Indicator" page (which doesn't have a default link on Home either, you have to navigate to the page above and then remove the IP filter):
Which then lets me see all the alerts for all the things at once (previously, this was visible on the NIDS page, however it is not anymore):
The text was updated successfully, but these errors were encountered: