Local storage vs. internet for so-rule-update

[Maji-Shan]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

256

Storage for /

6 TB

Storage for /nsm

4 TB

Network Traffic Collection

span port

Network Traffic Speeds

more than 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello, I am encountering an issue on our new 2.4 build. I wasn't the one to install this current build, however we previously have always used airgapped builds. In the past, we'd drop our ruleset we obtained from an external server, then drop it into our managers nsm/rules directory as emering-all.rules. We'd then run so-rule-update and it'd do the job.

However I an running into an issue at this moment as I am not sure why when we run so-rule-update, it's attempting to reach out to the internet and retrieve the file. This could be a misclick from an install and our firewall still blocks it, however whenever I try to put the rules "/nsm/rules/suricata/" directory and run so-rule-update, it just hangs on "Fetching https://rules.emergingthreats.net/open/suricata-6.0.0/emerging.rules.tar.gz.", unable to go onto the next step. Is there way to change this URL variable to just point to our local storage? "http://****:7788/suricata/emerging-all.rules"

I tried going into the Security onion configuration panel and adding that as a custom URL however it'd just error out, and I also added just the IP so it didn't need to resolve and when I tried so-rule-update it wouldn't even do anything.I also attempted to hunt down where I could modify rulecat.conf to just not point to that location and I couldn't figure that out or what to modify, and I also attempted to turn off IDSTOOLS in the manager configuration panel.

At this moment I'm not really sure how I would be able to install the rules I drop into the "/nsm/rules/suricata/" directory. If there was an incorrect installation done with our setup could that of caused this? If so, is there a way to fix that? Thank you in advance. :)

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

Sounds like this one wasn't installed as an Airgap. What's the value of global --> airgap in the Configuration interface?

[Maji-Shan]

It's marked as "True", read-only.

My only thoughts after searching around is that idstools is a component of the command that downloads the rulesets. Should I just disable it or will that break functionality of the command?

[reyesj2]

so-rule-update will download the latest rules from the internet
You will use soup and the latest ISO to update your rules or you can place them in /nsm/rules/suricata/emerging-all.rules on the manager. Those rules will be distributed down to the sensors.
https://docs.securityonion.net/en/2.4/airgap.html#rule-updates

[Maji-Shan]

Found my solution to my issue by messing around in the scripts. I noticed that in /usr/sbin/so-rule-update it has this portion to download from the internet.

However when I check /opt/so/saltstack/default/salt/idstools/tools/sbin_jinja/so-rule-update I see this check that technically true but it still runs and downloads from the internet. I'm not an expert so I could be looking at something completely incorrect so apologies.

I'm aware that salt will automatically pull the rules from /nsm/rules/suricata/emerging-all.rules down to the sensors also. I was just curious why all of a sudden this had changed whether it was done purposefully or not.
I found that running this command will pull from local storage http://****:7788/suricata/emerging-all.rules.

docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force"

I didn't test it but I think will still allow you to add the argument modifiers to idstools-rulecat. Here is the suricata documentation for it. https://idstools.readthedocs.io/en/latest/tools/rulecat.html