Create new suricata address group

[rosswakelin]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

250Gb

Storage for /nsm

1Tb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Happy new year!!
We are migrating from 2.3 to 2.4, deciding that a complete parallel rebuild is the best way, and then upgrading our distributed sensors one-by-one, registering them with the new manager infrastructure as we go.
We are migrating our manager config to 2.4 and have a small problem...we have defined a number of custom address groups for Suricata which we use to tune alerts etc. based on where the network traffic is from/to (e.g. ignoring some alerts from our guest subnets). Within the 2.4 GUI, we can see the built in address groups under Suricata -> config -> vars -> address-groups, but we cannot see any ability to ADD additional groups. Do we need to add these directly into the config files, and if so, which one?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[reyesj2]

From #12086

This would be under Administration -> Configuration. At the top of the configuration page hit the drop down 'Options' menu and enable 'Show all configurable settings'.

Then navigate to the Suricata section, at the bottom there is an 'Advanced' section for suricata. Here is an example of how you'd make custom address-groups. (for copy paste)

suricata:
  config:
    vars:
      address-groups:
        NEW_GROUP1:
          - 10.11.11.0/24
          - 10.12.12.0/24
        NEW_GROUP2: 
          - 10.13.13.0/24

Once you have added that to your suricata config under advanced, at top of the configuration screen open the 'Options' menu again and press 'Synchronize grid'. That will take some time, but will add a new address-group to your suricata.yaml. Here is mine after the above changes.

[rosswakelin]

Thanks for that. I was somehow hoping that I could add additional groups into the GUI for editing but oh well.
FYI, both of your images above are not able to be seen, the error message is:
This private-user-images.githubusercontent.com page can’t be foundNo web page was found for the web address: https://private-user-images.githubusercontent.com/94730068/294520327-a51dc0be-1b8b-4c44-98f4-cf55847835ab.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDQ3MjE5MTMsIm5iZiI6MTcwNDcyMTYxMywicGF0aCI6Ii85NDczMDA2OC8yOTQ1MjAzMjctYTUxZGMwYmUtMWI4Yi00YzQ0LTk4ZjQtY2Y1NTg0NzgzNWFiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAxMDglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMTA4VDEzNDY1M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTFjNzE3YTY3N2JmMDJlMGIyZTA4MTU1MGY4MWUyYTVhMmJkYjQ2ZDY2MGVhZjZhOTIwNGI4MGNkMTdiODJjNDMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.wLmG3m1ZfMyAdqbvwQ_JZ8TSyvGCylZlI101jXvRP60 HTTP ERROR 404