Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Show Suricata rule config for a particular signature ID #1303

Open
philrz opened this issue Dec 23, 2020 · 1 comment
Open

Show Suricata rule config for a particular signature ID #1303

philrz opened this issue Dec 23, 2020 · 1 comment
Labels
community

Comments

@philrz
Copy link
Contributor

philrz commented Dec 23, 2020
edited
Loading

A community user asked:

Can I see the rules if I double click the signature id?

Another asked for the same:

...is there any consideration for providing the [...] signature that triggered the alert?

In detail, imagine a user is looking at an alert in the Log Detail view. The Signature ID is prominently displayed.

image

The detail of the rules config is currently present in the suricata.rules config, but is not yet shown anywhere in the app. For example, on macOS:

$ grep 2012648 ~/Library/Application\ Support/Brim/suricata/rules/suricata.rules 
alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |22|"; distance:0; threshold:type limit, count 1, seconds 3600, track by_src; classtype:policy-violation; sid:2012648; rev:3; metadata:created_at 2011_04_07, updated_at 2011_04_07;)

We discussed as a team different ways we could obtain this data. Since the format is consistently the sid:[number] shown here, it could theoretically be as simple as the grep-like operation done here. These same rules configs are also available on the web (since that's where the rules updater obtains them), though a potential down side would be that the info would not be available in airgapped environments.

In terms of how it could be revealed, we discussed perhaps making it available as a tooltip, similar to how Brim makes the field descriptions available as tooltips attached to the field names.

As long as we're showing the info, I also wondered if there were "pretty printer" options that would make this look less than a long line of text. The only one I found is https://github.com/theY4Kman/suricata-prettifier/tree/master/suricata_prettifier which is written in Python. But we could do a little more digging, or maybe just write something quick of our own based on the same logic.
@philrz philrz added this to the Brim v0.24.0 milestone Dec 23, 2020
@philrz philrz modified the milestones: Brim v0.24.0, Brim v0.25.0 Jan 5, 2021
@philrz philrz removed this from the Brim v0.25.0 milestone Jan 28, 2021
@philrz
Copy link
Contributor Author

philrz commented Feb 9, 2021

In a group discussion today, we recognized this could be a specific example of the ideas discussed in #1419.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@philrz