Threat Assessment Rules
CloudShark requires a set of Suricata rules to generate alerts in the Threat Assessment analysis tool. To provide an initial ruleset a recent version the ET Open Ruleset is installed as part of CloudShark. This guide explains how to update the initial ruleset and configure additional rules.
CloudShark uses the configuration files in
/etc/suricata/ to determine
the rules and variable settings used during a threat assessment.
Suricata is used behind the scenes to generate threats
based on the traffic in the capture file.
Suricata-Update is a tool bundled with Suricata that may be used to download new rules for threat assessment. The command to download and update the Emerging Threats Open rules that were initially installed with CloudShark is:
Suricata-Update can download rules from additional sources such as the ET Pro Ruleset. To view what sources can be used for new rules run the commands:
suricata-update update-sources suricata-update list-sources
Additional sources can be enabled by running:
suricata-update enable-source <source>
Some rulesets such as the ET Pro Ruleset mentioned above may require a subscription and this command will prompt for an access code.
CloudShark runs the capture through Suricata once and then caches the result which gets returned on subsequent requests without rerunning the capture through Suricata.
After any changes to the configuration or rules to rerun Suricata the service can be restarted by running the following command:
systemctl restart cloudshark-threat-assessment
Then when a user runs threat assessment the capture will be rerun using any new rules or configuration changes to Suricata.