Adding/changing existing Suricata variables -> Unable to sync settings

[ejgh-oe]

Version

2.4.200

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

128G

Storage for /

400GB

Storage for /nsm

3TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,

Over the years I set up some custom Suricata rules basically pass-ing traffic that clearly are false positives. Today I needed to adapt one of these rules to cover additional source addresses by changing the rule from

pass dns $VICTORY_NODE_ADDRESSES any -> $DCS any (msg:"Custom: False positive for signature 2034505"; dns_query; content:".burpcollaborator.net"; nocase; endswith; classtype:policy-violation; sid:9000077; rev:1; metadata:created_at 2021_11_18, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_18;)

to

pass dns [$VICTORY_NODE_ADDRESSES, $JUPITER_NODE_ADDRESSES] any -> $DCS any (msg:"Custom: False positive for signature 2034505"; dns_query; content:".burpcollaborator.net"; nocase; endswith; classtype:policy-violation; sid:9000077; rev:1; metadata:created_at 2021_11_18, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_18;)

At the same time I needed to extend $JUPITER_NODE_ADDRESSES by adding some IP addresses. So I went to suricata > advanced [adv] where all custom variables used are defined and added the respective IP-adresses like so:

old:

        JUPITER_NODE_ADDRESSES:
          - 192.168.11.20
          - 192.168.11.21
          - 192.168.11.22
          - 192.168.21.1

new:

        JUPITER_NODE_ADDRESSES:
          - 192.168.2.1
          - 192.168.2.253
          - 192.168.2.254
          - 192.168.11.20
          - 192.168.11.21
          - 192.168.11.22
          - 192.168.21.1

i.e. three IPs added in YAML-syntax as usual.

After clicking the green checkmark

the usual popup of

but once I clicked on "Synchronize Suricata"...

In order to strip down the problem I even tried removing all custom variables entirely just leaving an empty input window, but again

So even if there absolutely no variables are defined I get the same error.

NB: Please note that the last change I did wrt. variables dates back to pre-2.4.200 - had no problems at all. Could it be that something has changed wrt. custom Suricata variables in 2.4.200?

Thanks in advance for any clue.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Check the SOC log at /opt/so/log/soc/sensoroni-server.log for any issues.

For Suricata variables, you can set them in SOC > Administration > Configuration > suricata > config > vars > address-groups or port-groups. If you want to create on for JUPITER_NODE_ADDRESSES us the Duplicate Settings feature https://docs.securityonion.net/en/2.4/administration.html#duplicate-settings. In the configuration, just add the IPs one per line, no spacing or - like below:

192.168.2.1
192.168.2.253
192.168.2.254
192.168.11.20
192.168.11.21
192.168.11.22
192.168.21.1

[ejgh-oe]

Check the SOC log at /opt/so/log/soc/sensoroni-server.log for any issues.

Nope no errors here

For Suricata variables, you can set them in SOC > Administration > Configuration > suricata > config > vars > address-groups or port-groups. If you want to create on for JUPITER_NODE_ADDRESSES us the Duplicate Settings feature https://docs.securityonion.net/en/2.4/administration.html#duplicate-settings. In the configuration, just add the IPs one per line, no spacing or - like below:

To be specific, I already have a variable JUPITER_NODE_ADDRESSES originally defined via suricata > advanced [adv]; just wanted to add some additional IPs to it and that didn't work via suricata > advanced [adv]. So do I have to remove the respective entry (JUPITER_NODE_ADDRESSES) from the entries under suricata > advanced [adv] and set it up via SOC > Administration > Configuration > suricata > config > vars > address-groups while adding the new IP addresses? Put in another way: is the old way via suricata > advanced [adv] no longer supported when it comes to set custom variables?

...which leads to the next question: So should I redefine all custom variables via SOC > Administration > Configuration > suricata > config > vars > address-groups?

[cm-ops]

It would be easier to manage in SOC > Administration > Configuration > suricata > config > vars > address-groups. This would also be the preferred way.

Putting the below in suricata > advanced [adv] still works:

suricata:
  config:
    vars:
      address-groups: 
       JUPITER_NODE_ADDRESSES:
          - 192.168.2.1
          - 192.168.2.253
          - 192.168.2.254
          - 192.168.11.20
          - 192.168.11.21
          - 192.168.11.22
          - 192.168.21.1

My vars in the suricata.yaml shows it applied:

    vars:
      address-groups:
        HOME_NET: '[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]'
        EXTERNAL_NET: '[any]'
        HTTP_SERVERS: '[$HOME_NET]'
        SMTP_SERVERS: '[$HOME_NET]'
        SQL_SERVERS: '[$HOME_NET]'
        DNS_SERVERS: '[$HOME_NET]'
        TELNET_SERVERS: '[$HOME_NET]'
        AIM_SERVERS: '[$EXTERNAL_NET]'
        DC_SERVERS: '[$HOME_NET]'
        DNP3_SERVER: '[$HOME_NET]'
        DNP3_CLIENT: '[$HOME_NET]'
        MODBUS_CLIENT: '[$HOME_NET]'
        MODBUS_SERVER: '[$HOME_NET]'
        ENIP_CLIENT: '[$HOME_NET]'
        ENIP_SERVER: '[$HOME_NET]'
        JUPITER_NODE_ADDRESSES: '[192.168.2.1,192.168.2.253,192.168.2.254,192.168.11.20,192.168.11.21,192.168.11.22,192.168.21.1]'

Things to look out for using advanced are incorrect yaml formatting, missing the correct syntax to add it to the suricata.yaml, and potentially a change to the code, specifically the Suricata defaults.yaml.

[ejgh-oe]

Thanks for the explanation - guess I'll migrate from suricata > advanced [adv] to SOC > Administration > Configuration > suricata > config > vars > address-groups since there seems to be a syntax check in place as opposed to possibly messing up the entire config because of some incorrect YAML synatax in the config entered via suricata > advanced [adv]