Documentation Center
AlienVault® USM Appliance™

Customize AlienVault NIDS Rules

Applies to Product: USM Appliance™ AlienVault OSSIM®

Occasionally you may want to customize the AlienVault NIDS rules or enable a rule that is disabled by default, so that the detection works better in your network. This section describes how to accomplish both.

To customize the AlienVault NIDS rule(s)

  1. Identify the rule(s) you want to enable.
  2. Use SSH to log into USM Appliance and select Jailbreak System.
  3. Place the rule you want to enable into /etc/suricata/rules/local.rules and save your changes. One way to do this is to copy the rule(s) from the original rule file and paste it into local.rules, making sure to remove the "#" at the beginning of the line.

    The following example performs these tasks in a Linux one-liner

    # cat /etc/suricata/rules/emerging_pro-policy.rules | grep 2009294 | cut -d'#' -f2 >> /etc/suricata/rules/local.rules

    In this command, grep is used to search for the unique ID of a disabled Credit Card Policy Rule, copy it from /etc/suricata/rules/emerging_pro-policy.rules, remove the "#" at the beginning of the line (using cut), and paste it to /etc/suricata/rules/local.rules.

    Open local.rules to confirm that the rule was copied correctly

    # cat /etc/suricata/rules/local.rules

    alert ip any any > any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009294; classtype:policy-violation; sid:2009294; rev:1;)

    Note: To ensure that the rule doesn't conflict with existing rules, you should use a SID between 5,000,000 and 5,999,999.

  4. Repeat the command for all the rules you want to enable.
  5. Modify the rule(s) if needed and save your changes.
  6. Using a command line text editor of your choice, add a reference to local.rules at the bottom of /etc/suricata/rule-files.yaml

    %YAML 1.1

    ---

    default-rule-path: /etc/suricata/rules

    rule-files:

    - emerging_pro-activex.rules

    - emerging_pro-attack_response.rules

    - emerging_pro-chat.rules

    [...]

    - suricata-smtp-events.rules

    - suricata-stream-events.rules

    - local.rules

  7. Run the following script to import the rules to the database

    perl /usr/share/ossim/scripts/create_sidmap.pl /etc/suricata/rules

  8. Restart the AlienVault NIDS service for your changes to take effect

    #service suricata restart

  9. Restart the AlienVault Agent service to digest the changes

    #service ossim-agent restart

Warning: If you are using USM Appliance version 5.3.3 or earlier, running threat intelligence or plugin feed updates will overwrite any changes you made to the local.rules file. To avoid this issue, upgrade to USM Appliance version 5.3.4 or later.

AlienVault OSSIM Limitations: Both AlienVault OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and AlienVault OSSIM provide. However, AlienVault OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.