Suricata is not thresholding rules

[sleepingbel]

Version

2.4.20

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

26

Storage for /

200 GB

Storage for /nsm

1 TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello all,

First I would like to thank the SO team for this new version, it makes a lot of things much simpler once you understand the new concept. I have been running the new version for 3 weeks now and so far I only see advantages compared to the previous version.

Suricata, the threshold list entered in the configuration section of the SOC screen is not converted to the threshold.conf

I use a simple threshold and used the manual as a guide

Fictional example

thresholding:
  sids:
    2010781:
      - suppress:
          gen_id: 1
          track: by_dst
          ip: 192.168.1.98, 209.197.2.0/23

To which location is the web data written, is this the location /opt/so/conf/suricata/threshold.conf?

This file is empty after a highstate

I checked the suricata and highstate logs for errors but found none

• /opt/so/log/suricata/suricata.log
• /opt/so/log/salt/master
• /opt/so/log/salt/minion
• /opt/so/log/salt/so-salt-minion-check
• /opt/so/log/salt/state-apply-test
• /opt/so/log/soc/salt-relay.log
• /opt/so/log/soc/sync.log
• /opt/so/log/soc/sensoroni-server.log

Which logs can I check to see where things are going wrong?

Regards
Bart

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[robbiemarshall]

Where are you adding the thresholding configuration? What does the actual syntax look like? Are you trying to threshold, rate filter, or suppress? Each of those have slightly different syntax.

[sleepingbel]

Hello Robbie,

I add the config in the web interface in the grid configuration under suricata > thresholding > sid's. the actual syntax is like the example above and i suppres only. I used the example in the documentation for creating of the threshold config.

I had a SO 2.3 running i know how to config a suricata threshold in SO when you still need to do it in the minion sls. The config used in SO 2.4 is not so different.

[dougburks]

The link you used was a section of documentation that had not been fully updated for 2.4:
https://docs.securityonion.net/en/2.4/suricata.html?highlight=suricata#thresholding

That link has been updated to point to the Managing Alerts section:
https://docs.securityonion.net/en/2.4/managing-alerts.html#threshold

Please try that and see if it works. Please note that your config should start with the SID (so unlike 2.3 you shouldn't need the thresholding: and sids: lines).

[sleepingbel]

Thx Doug,

I changed the config and will check if the threshold works.

[sleepingbel]

It works Doug. you where right it was due to the documetatiob.