SO 2.4.70 Detections - Bulk Rule Tuning Possible?

[TheRealPancakes]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

48

RAM

512G

Storage for /

445.07 GiB

Storage for /nsm

11.64 TiB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,

I've just updated to SO 2.4.70 and I'm wondering if there is any way to bulk add Suricata rule thresholds now that the Detections interface has launched? I have too many thresholds to reasonably add them one at a time in the webui. The old interface at suricata->thresholding->SIDS is now read-only.

Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[Koen1999]

I agree with OP that bulk tuning could be beneficial. For example, a way to suppress rules based on regular expressions could allow for disabling all dynamic dns rules or all ET POLICY rules at once. Us home users are not interested in Steam or Discord related alerts.

[TheRealPancakes]

I'm going to add another note to this thread. Unless I reload the detection/tuning_tab page between write operations, I get a popup error "A detection with this public Id already exists. Please choose a different public Id." when the next write operation is attempted.

[TheRealPancakes]

I created custom suricata address-groups for the lists of CIDR blocks I want to use in suppression rules. Unfortunately, the regex check on the Detections->Tuning interface for the "IP - CIDR Notation" field won't allow the use of address-group names nor lists of CIDR blocks as inputs though they are supported by Suricata 7.0.5.

[TheRealPancakes]

I'm out of ideas. I'm going to resign myself to disabling instead of tuning noisy rules when the tuning requires anything more than a handful of CIDR blocks.

[TheRealPancakes]

I'm following up on this issue in case others encounter the same. With the release of SO 2.4.80, FEATURE: Support Suricata VARs for Overrides #13194 plus custom suricata address-groups [Configuration -> suricata -> advanced ] provided a path forward to accomplish this flavor of tuning task without having to click through adding each CIDR individually in the WebUI. Thanks!

suricata:
  config:
    vars:
      address-groups:
        WEBEX:
          - 4.152.214.0/24
          - 4.158.208.0/24
          - 4.175.120.0/24
          - 20.50.235.0/24
          - 20.53.87.0/24
          - 20.57.87.0/24
          - 20.68.154.0/24
          - 20.76.127.0/24
          - 20.108.99.0/24
          - 20.120.238.0/23
          - 23.89.0.0/16
          - 40.119.234.0/24
          - 44.234.52.192/26
          - 52.232.210.0/24
          - 62.109.192.0/18
          - 64.68.96.0/19
          - 66.114.160.0/20
          - 66.163.32.0/19
          - 69.26.160.0/19
          - 114.29.192.0/19
          - 144.196.0.0/16
          - 150.253.128.0/17
          - 163.129.0.0/16
          - 170.72.0.0/16
          - 170.133.128.0/18
          - 173.39.224.0/19
          - 173.243.0.0/20
          - 207.182.160.0/19
          - 209.197.192.0/19
          - 210.4.192.0/20
          - 216.151.128.0/19
        ZOOM:
          - 3.7.35.0/25
          - 3.21.137.128/25
          - 3.25.41.128/25
          - 3.80.20.128/25
          - 3.96.19.0/24
          - 3.101.52.0/25
          - 3.104.34.128/25
          - 3.120.121.0/25
          - 3.127.194.128/25
          - 3.208.72.0/25
          - 3.211.241.0/25
          - 3.235.71.128/25
          - 3.235.72.128/25
          - 3.235.73.0/25
          - 3.235.82.0/23
          - 3.235.96.0/23
          - 4.34.125.128/25
          - 4.35.64.128/25
          - 8.5.128.0/23
          - 13.52.6.128/25
          - 13.52.146.0/25
          - 15.220.80.0/24
          - 15.220.81.0/25
          - 16.63.29.0/24
          - 16.63.30.0/24
          - 18.157.88.0/24
          - 18.205.93.128/25
          - 18.254.23.128/25
          - 18.254.61.0/25
          - 20.203.158.80/28
          - 20.203.190.192/26
          - 50.239.202.0/23
          - 50.239.204.0/24
          - 52.61.100.128/25
          - 52.202.62.192/26
          - 52.215.168.0/25
          - 64.125.62.0/24
          - 64.211.144.0/24
          - 64.224.32.0/19
          - 65.39.152.0/24
          - 69.174.57.0/24
          - 69.174.108.0/22
          - 99.79.20.0/25
          - 101.36.167.0/24
          - 101.36.170.0/23
          - 103.122.166.0/23
          - 111.33.115.0/25
          - 111.33.181.0/25
          - 115.110.154.192/26
          - 115.114.56.192/26
          - 115.114.115.0/26
          - 115.114.131.0/26
          - 120.29.148.0/24
          - 129.151.1.128/27
          - 129.151.1.192/27
          - 129.151.2.0/27
          - 129.151.3.160/27
          - 129.151.7.96/27
          - 129.151.11.64/27
          - 129.151.11.128/27
          - 129.151.12.0/27
          - 129.151.13.64/27
          - 129.151.15.224/27
          - 129.151.16.0/27
          - 129.151.31.224/27
          - 129.151.40.0/25
          - 129.151.40.160/27
          - 129.151.40.192/27
          - 129.151.41.0/25
          - 129.151.41.192/26
          - 129.151.42.0/27
          - 129.151.42.64/27
          - 129.151.42.128/26
          - 129.151.42.224/27
          - 129.151.43.0/27
          - 129.151.43.64/26
          - 129.151.48.0/27
          - 129.151.48.160/27
          - 129.151.49.0/26
          - 129.151.49.96/27
          - 129.151.49.128/27
          - 129.151.49.192/26
          - 129.151.50.0/27
          - 129.151.50.64/27
          - 129.151.52.128/26
          - 129.151.53.32/27
          - 129.151.53.224/27
          - 129.151.55.32/27
          - 129.151.56.32/27
          - 129.151.57.32/27
          - 129.151.60.192/27
          - 129.159.2.32/27
          - 129.159.2.192/27
          - 129.159.3.0/24
          - 129.159.4.0/23
          - 129.159.6.0/27
          - 129.159.6.96/27
          - 129.159.6.128/26
          - 129.159.6.192/27
          - 129.159.160.0/26
          - 129.159.160.64/27
          - 129.159.163.0/26
          - 129.159.163.160/27
          - 129.159.208.0/21
          - 129.159.216.0/26
          - 129.159.216.64/27
          - 129.159.216.128/26
          - 130.61.164.0/22
          - 132.226.176.0/25
          - 132.226.176.128/26
          - 132.226.177.96/27
          - 132.226.177.128/25
          - 132.226.178.0/27
          - 132.226.178.128/27
          - 132.226.178.224/27
          - 132.226.179.0/27
          - 132.226.179.64/27
          - 132.226.180.128/27
          - 132.226.183.160/27
          - 132.226.185.192/27
          - 134.224.0.0/16
          - 140.238.128.0/24
          - 140.238.232.0/22
          - 144.195.0.0/16
          - 147.124.96.0/19
          - 149.137.0.0/17
          - 150.230.224.0/25
          - 150.230.224.128/26
          - 150.230.224.224/27
          - 152.67.20.0/24
          - 152.67.118.0/24
          - 152.67.168.0/22
          - 152.67.180.0/24
          - 152.67.184.32/27
          - 152.67.240.0/21
          - 152.70.0.0/25
          - 152.70.0.128/26
          - 152.70.0.224/27
          - 152.70.1.0/25
          - 152.70.1.128/26
          - 152.70.1.192/27
          - 152.70.2.0/26
          - 152.70.7.192/27
          - 152.70.10.32/27
          - 152.70.224.32/27
          - 152.70.224.64/26
          - 152.70.224.160/27
          - 152.70.224.192/27
          - 152.70.225.0/25
          - 152.70.225.160/27
          - 152.70.225.192/27
          - 152.70.226.0/27
          - 152.70.227.96/27
          - 152.70.227.192/27
          - 152.70.228.0/27
          - 152.70.228.64/27
          - 152.70.228.128/27
          - 156.45.0.0/17
          - 158.101.64.0/24
          - 158.101.184.0/23
          - 158.101.186.0/25
          - 158.101.186.128/27
          - 158.101.186.192/26
          - 158.101.187.0/25
          - 158.101.187.160/27
          - 158.101.187.192/26
          - 159.124.0.0/16
          - 160.1.56.128/25
          - 161.199.136.0/22
          - 162.12.232.0/22
          - 162.255.36.0/22
          - 165.254.88.0/23
          - 166.108.64.0/18
          - 168.138.16.0/22
          - 168.138.48.0/24
          - 168.138.56.0/21
          - 168.138.72.0/24
          - 168.138.74.0/25
          - 168.138.80.0/25
          - 168.138.80.128/26
          - 168.138.80.224/27
          - 168.138.81.0/24
          - 168.138.82.0/23
          - 168.138.84.0/25
          - 168.138.84.128/27
          - 168.138.84.192/26
          - 168.138.85.0/24
          - 168.138.86.0/23
          - 168.138.96.0/22
          - 168.138.116.0/27
          - 168.138.116.64/27
          - 168.138.116.128/27
          - 168.138.116.224/27
          - 168.138.117.0/27
          - 168.138.117.96/27
          - 168.138.117.128/27
          - 168.138.118.0/27
          - 168.138.118.160/27
          - 168.138.118.224/27
          - 168.138.119.0/27
          - 168.138.119.128/27
          - 168.138.244.0/24
          - 170.114.0.0/16
          - 173.231.80.0/20
          - 192.204.12.0/22
          - 193.122.16.0/25
          - 193.122.16.192/27
          - 193.122.17.0/26
          - 193.122.17.64/27
          - 193.122.17.224/27
          - 193.122.18.32/27
          - 193.122.18.64/26
          - 193.122.18.160/27
          - 193.122.18.192/27
          - 193.122.19.0/27
          - 193.122.19.160/27
          - 193.122.19.192/27
          - 193.122.20.224/27
          - 193.122.21.96/27
          - 193.122.32.0/21
          - 193.122.40.0/22
          - 193.122.44.0/24
          - 193.122.45.32/27
          - 193.122.45.64/26
          - 193.122.45.128/25
          - 193.122.46.0/23
          - 193.122.208.96/27
          - 193.122.216.32/27
          - 193.122.222.0/27
          - 193.122.223.128/27
          - 193.122.226.160/27
          - 193.122.231.192/27
          - 193.122.232.160/27
          - 193.122.237.64/27
          - 193.122.244.160/27
          - 193.122.244.224/27
          - 193.122.245.0/27
          - 193.122.247.96/27
          - 193.122.252.192/27
          - 193.123.0.0/19
          - 193.123.40.0/21
          - 193.123.128.0/19
          - 193.123.168.0/21
          - 193.123.192.224/27
          - 193.123.193.0/27
          - 193.123.193.96/27
          - 193.123.194.96/27
          - 193.123.194.128/27
          - 193.123.194.224/27
          - 193.123.195.0/27
          - 193.123.196.0/27
          - 193.123.196.192/27
          - 193.123.197.0/27
          - 193.123.197.64/27
          - 193.123.198.64/27
          - 193.123.198.160/27
          - 193.123.199.64/27
          - 193.123.200.128/27
          - 193.123.201.32/27
          - 193.123.201.224/27
          - 193.123.202.64/27
          - 193.123.202.128/26
          - 193.123.203.0/27
          - 193.123.203.160/27
          - 193.123.203.192/27
          - 193.123.204.0/27
          - 193.123.204.64/27
          - 193.123.205.64/26
          - 193.123.205.128/27
          - 193.123.206.32/27
          - 193.123.206.128/27
          - 193.123.207.32/27
          - 193.123.208.160/27
          - 193.123.209.0/27
          - 193.123.209.96/27
          - 193.123.210.64/27
          - 193.123.211.224/27
          - 193.123.212.128/27
          - 193.123.215.192/26
          - 193.123.216.64/27
          - 193.123.216.128/27
          - 193.123.217.160/27
          - 193.123.219.64/27
          - 193.123.220.224/27
          - 193.123.222.64/27
          - 193.123.222.224/27
          - 198.251.128.0/17
          - 202.177.207.128/27
          - 204.80.104.0/21
          - 204.141.28.0/22
          - 206.247.0.0/16
          - 207.226.132.0/24
          - 209.9.211.0/24
          - 209.9.215.0/24
          - 213.19.144.0/24
          - 213.19.153.0/24
          - 213.244.140.0/24
          - 221.122.63.0/24
          - 221.122.64.0/24
          - 221.122.88.64/27
          - 221.122.88.128/25
          - 221.122.89.128/25
          - 221.123.139.192/27