AlienVault® USM Appliance™

Customize AlienVault NIDS Rules

Applies to Product: USM Appliance™ AlienVault OSSIM®

Occasionally you may want to customize the AlienVault NIDS rules or enable a rule that is disabled by default, so that the detection works better in your network. This section describes how to accomplish both.

Important: The steps below have been written for the USM Appliance All-in-One.

If running the USM Appliance Server and USM Appliance Sensor separately, you must perform step #1 through #7, step #9, and step #10 on each Sensor. You must perform step #8 on the USM Appliance Server, after copying the local.rules file from the Sensor to the Server. This is because the database only exists on the Server.

To customize the AlienVault NIDS rule(s)

  1. Identify the rule(s) you want to enable.
  2. Connect to the AlienVault Console through SSH and use your credentials to log in. The AlienVault Setup menu displays.
  3. On the AlienVault Setup main menu, select Jailbreak System to gain command line access.Select Yes when prompted. You will be in the root directory.
  4. Place the rule you want to enable into /etc/suricata/rules/local.rules and save your changes. One way to do this is to copy the rule(s) from the original rule file and paste it into local.rules, making sure to remove the "#" at the beginning of the line.

    The following example performs these tasks in a Linux one-liner

    # cat /etc/suricata/rules/emerging_pro-policy.rules | grep 2009294 | cut -d'#' -f2 >> /etc/suricata/rules/local.rules

    In this command, grep is used to search for the unique ID of a disabled Credit Card Policy Rule, copy it from /etc/suricata/rules/emerging_pro-policy.rules, remove the "#" at the beginning of the line (using cut), and paste it to /etc/suricata/rules/local.rules.

    Open local.rules to confirm that the rule was copied correctly

    # cat /etc/suricata/rules/local.rules

    alert ip any any > any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009294; classtype:policy-violation; sid:2009294; rev:1;)

    Note: To ensure that the rule doesn't conflict with existing rules, you should use a SID between 5,000,000 and 5,999,999.

  5. Repeat the command for all the rules you want to enable.
  6. Modify the rule(s) if needed and save your changes.
  7. Using a command line text editor of your choice, add a reference to local.rules at the bottom of /etc/suricata/rule-files.yaml

    %YAML 1.1

    ---

    default-rule-path: /etc/suricata/rules

    rule-files:

    - emerging_pro-activex.rules

    - emerging_pro-attack_response.rules

    - emerging_pro-chat.rules

    [...]

    - suricata-smtp-events.rules

    - suricata-stream-events.rules

    - local.rules

  8. Run the following script to import the rules to the database

    perl /usr/share/ossim/scripts/create_sidmap.pl /etc/suricata/rules

  9. Restart the AlienVault NIDS service for your changes to take effect

    #service suricata restart

  10. Restart the AlienVault Agent service to digest the changes

    #service ossim-agent restart

Warning: If you are using USM Appliance version 5.3.3 or earlier, running threat intelligence or plugin feed updates will overwrite any changes you made to the local.rules file. To avoid this issue, upgrade to USM Appliance version 5.3.4 or later.

AlienVault OSSIM Limitations: Both AlienVault OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and AlienVault OSSIM provide. However, AlienVault OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.