Threat Assessment Rules
CloudShark requires a set of Suricata rules to generate alerts in the Threat Assessment analysis tool. To provide an initial ruleset a recent version the ET Open Ruleset is installed as part of CloudShark. This guide explains how to update the initial ruleset and configure additional rules.
Configuration files
CloudShark uses the configuration files in
/usr/cloudshark/etc/suricata/config/ to determine the variable
settings used during a threat assessment. The rules are stored under
/usr/cloudshark/etc/suricata/rules/ and should be managed using
Suricata-Update.
Suricata-Update
Suricata-Update is a tool bundled with Suricata that may be used to download new rules for threat assessment. The command to download and update the Emerging Threats Open rules that were initially installed with CloudShark is:
suricata-update
Additional Rules
Suricata-Update can download rules from additional sources such as the ET Pro Ruleset. To view what sources can be used for new rules run the commands:
suricata-update update-sources
suricata-update list-sources
Additional sources can be enabled by running:
suricata-update enable-source <source>
Some rulesets such as the ET Pro Ruleset mentioned above may require a subscription and this command will prompt for an access code.
Caching
CloudShark runs the capture through Suricata once and then caches the result which gets returned on subsequent requests without rerunning the capture through Suricata.
After any changes to the configuration or rules to rerun Suricata the service can be restarted by running the following command:
systemctl restart cloudshark-threat-assessment
Then when a user runs threat assessment the capture will be rerun using any new rules or configuration changes to Suricata.
