Threat Assessment Rules

CloudShark requires a set of Suricata rules to generate alerts in the Threat Assessment analysis tool. To provide an initial ruleset a recent version the ET Open Ruleset is installed as part of CloudShark. This guide explains how to update the initial ruleset and configure additional rules.

Configuration files

CloudShark uses the configuration files in /etc/suricata/ to determine the rules and variable settings used during a threat assessment. Suricata is used behind the scenes to generate threats based on the traffic in the capture file.

Suricata-Update

Suricata-Update is a tool bundled with Suricata that may be used to download new rules for threat assessment. The command to download and update the Emerging Threats Open rules that were initially installed with CloudShark is:

suricata-update

Additional Rules

Suricata-Update can download rules from additional sources such as the ET Pro Ruleset. To view what sources can be used for new rules run the commands:

suricata-update update-sources
suricata-update list-sources

Additional sources can be enabled by running:

suricata-update enable-source <source>

Some rulesets such as the ET Pro Ruleset mentioned above may require a subscription and this command will prompt for an access code.

Caching

CloudShark runs the capture through Suricata once and then caches the result which gets returned on subsequent requests without rerunning the capture through Suricata.

After any changes to the configuration or rules to rerun Suricata the service can be restarted by running the following command:

systemctl restart cloudshark-threat-assessment

Then when a user runs threat assessment the capture will be rerun using any new rules or configuration changes to Suricata.