add a classification and tune a rule's severity level to high on suricata #10659

js-messi · 2023-06-26T09:48:23Z

js-messi
Jun 26, 2023

I want to add a custom suricata rule on security-onion 2,
according from manual,
I add it in /opt/so/saltstack/local/salt/idstools/local.rules
alert ip 10.x.x.x any -> any any (msg:"test!";classtype:test;sid:1999999;)
but it's "low " severity level by default and it's shown blank in Security Onion-Rule-Category
I don't know how can I modify the severity level from low to high and how it can be shown on Security Onion-Rule-Category,thanks!

InfosecGoon · 2023-06-26T20:11:38Z

InfosecGoon
Jun 26, 2023

To set the category and severity, use the "classtype" directive and rather than test include one of the categories from /opt/so/conf/suricata/classification.config.

For example, setting it to "classtype:trojan-activity" would set it to high priority.

4 replies

js-messi Jun 27, 2023
Author

Hi Gracie,

Thanks for your reply, how to add a classtype and set the serverity?

InfosecGoon Jun 27, 2023

If you want to use one of the built-in classtypes, you can just copy the name from the classification.config file.

If you want to add a new classtype, you can do that by modifying /opt/so/saltstack/local/pillar/global.sls and adding something like this:

 

suricata:
  classification:
    test-classification:
      description: Testing
      priority: 1

js-messi Jun 29, 2023
Author

Thanks a lot for your reply,I try to add a new classtype on global.sls and use it on a test rule,it's shown on kibana alert,but on security onion-rule-catagory(lower left),it's blank,can you tell me how to add this new classtype to catagory?

InfosecGoon Jul 5, 2023

It should be pulling that category name from classification.config.

Can you share your custom rule and the /opt/so/conf/suricata/classification.config file?

js-messi · 2023-06-27T02:45:39Z

js-messi
Jun 27, 2023
Author

Hi Gracie, Thanks for your reply, how to add a classtype and set the serverity? Matthew Gracie ***@***.***>于2023年6月27日周二04:11写道：

…

To set the category and severity, use the "classtype" directive and rather than test include one of the categories from /opt/so/conf/suricata/classification.config. For example, setting it to "classtype:trojan-activity" would set it to high priority. — Reply to this email directly, view it on GitHub <#10659 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANMWB65K74UMF4QMKZNGJ2LXNHUIJANCNFSM6AAAAAAZT4552A> . You are receiving this because you authored the thread.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/10659/comments/6286143 @github.com>

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

add a classification and tune a rule's severity level to high on suricata #10659

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

add a classification and tune a rule's severity level to high on suricata #10659

Uh oh!

js-messi Jun 26, 2023

Replies: 2 comments · 4 replies

Uh oh!

InfosecGoon Jun 26, 2023

Uh oh!

js-messi Jun 27, 2023 Author

Uh oh!

Uh oh!

InfosecGoon Jun 27, 2023

Uh oh!

js-messi Jun 29, 2023 Author

Uh oh!

InfosecGoon Jul 5, 2023

Uh oh!

js-messi Jun 27, 2023 Author

js-messi
Jun 26, 2023

Replies: 2 comments 4 replies

InfosecGoon
Jun 26, 2023

js-messi Jun 27, 2023
Author

js-messi Jun 29, 2023
Author

js-messi
Jun 27, 2023
Author