Add Setting for pointing at local Suricata rules #3049
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We've had a couple community issues recently where users mistakenly thought Zui's Brimcap YAML Config File setting may have been intended for loading additional local Suricata rules (#3047, #2949). We've never intended to expose UX in Zui to control all the possible customizations in bundled tools like Suricata and instead of tried to maintain a set of sensible defaults to which we've added modest enhancements over time when resources allow. When users ask for customizations that are more ambitious than we can easily offer, our catch-all/fallback answer is to refer them to the Custom Brimcap Config article that guides them through how they can point Zui at their own installs of pcap analyzers like Suricata that they've customized as much as they'd like.
All that said, I recognize that following the Custom Brimcap Config steps could be seen as fairly heavyweight by a user that wants to do something simple such as loading additional Suricata rules. Furthermore, for that specific use case, I already put in most of the hard work via brimdata/build-suricata#63 to make sure that the Suricata rules updater that ships with Brimcap is capable of loading additional rule sets if they're specified on the command line. The user that spawned the inquiry that led to that Brimcap PR only seemed to be interested in standalone Brimcap, so at the time I did not pursue exposing the functionality at the Zui layer. But now that we've established that some Zui users are looking for this functionality, I figure our time is better spent delivering the enhancement rather than repeatedly pointing them at heavyweight docs and hoping for the best.
As described in the
suricata-update
docs, loading such additional rules is accomplished by appending--local
and a pathname to a file or directory of rule files to include. This PR leverages this by exposing a new Local Suricata Rules Folder setting in Zui that allows the user to select a directory that may contain any number of Suricata rules files. The end result is that the additional rules will be included in the final set used by Zui alongside the default Emerging Threats Open rule set that's always present by default.The following video taken on macOS shows the feature working as intended using a Dev build based on commit c75e955 from this PR's branch. It uses the attached test data in example.pcap.gz which is a capture of me pinging one of the IP addresses associated with the "stalkerware" rules requested in #3047.
First I baseline by loading the pcap with the default Emerging Threats Open rules and we see no Suricata alert is generated. Then I use the new setting to point at the folder on my desktop that contains the additional stalkerware rules. Changing the setting triggers the re-run of the Suricata rules updater, and we can see the size of the assembled
suricata.rules
file increase as a result. I then re-import the pcap and we can see the expected alert now appears. Finally, I delete the setting such that the Suricata rules updater re-runs to bring me back to just the default Emerging Threats Open rule set again. Re-processing the pcap one last time, we see the alert is once again gone.Demo.mp4
I re-ran this same set of steps with the Windows build and saw the same successful outcome there.
If this merges, what I'll likely do right after is write a new article in the Features section of the Zui docs that covers both this new feature and the existing Brimcap YAML Config File setting. Regarding the latter, up to now its "docs" link in Settings has pointed directly at the Custom Brimcap Config article in the Brimcap wiki. That's been fine, but I feel like a standalone Zui doc that covers pcap processing (maybe reference the plugin system, etc.) in addition to these other topics would be more user-friendly.
Closes #3047