Questions about enabled detection after initial setup

[security-companion]

Version

2.4.160

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

24GB

Storage for /

314

Storage for /nsm

673

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,
I noticed that after installing security-onion some suricata rules are enabled and some not.
Query used in detections tab: so_detection.language:suricata | groupby so_detection.ruleset so_detection.isEnabled | groupby so_detection.category so_detection.isEnabled
Eg. for ET Malware category 15,881 rules are enabled and 7,447 are disabled.
What is the criteria for enabeling certain rules on default and others not? Is it eg. the confidence value inside the suricata rule?

Would it be possible to parse the confidence value and show it in the details table so that it is possible to filter for it?

Best regards
security-companion

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

https://community.emergingthreats.net/t/frequently-asked-questions/56#why-would-a-rule-ship-disabled-9

[security-companion]

Hi Chris,
thank you very much for the link.
In my environment I have for certain categories (let's take ET Malware as an example) every rule through regexp enabled. The reason for this is that if a new rule is created due to a new threat I want this to be enabled automatically in my environment.
The downside of this is that with the regexp also all existing rules get enabled - no matter if they were shipped disabled or enabled.

Is there a way

• to filter in alarms section all alarms out that belong to rules that were shipped disabled?
• to filter in detections section for rules that were/were not enabled by default?
• to enable with regexp only new future rules that would ship enabled but not disabled rules (either new rules being shipped disabled or old rules that were shipped disabled when introduced in the past)?

Best regards
security-companion

[cm-ops]

You would need to have no tuning to see what comes disabled. In Detections you can see what is enabled and disabled by the true/false in the enabled column.

To filter on what is enabled or disabled by default, key on the above column to see.

Emerging Threats makes the deterimations on enabling or disabling a rule. I imagine if you kept an eye on https://community.emergingthreats.net/c/ruleset-updates/9 you might be able to see if it is possible, but it would probably be a mamual process and your regex would need adjusting.

[security-companion]

Thank you for your comment.
However to check with the enabled column what comes disabled/enabled by default only works if I did not apply regex to the respective category afterwards. Because after applying regex everything in one category is enabled, no matter if it was enabled/disabled by default.

If I have enabled a complete category through regexp - how can I then come back to what was enabled by default for this category after removing again the regexp?

Would you mind writing here if in the future some colum like rule.enabled_by_default is introduced?

What would be your advice on which categories to enable all rules via regex? How do others do this? Do they just work with what is enabled by default and not touch regexp enabling/disabling?

Best regards
security-companion

[cm-ops]

Yes, that's why I mentioned you would need to have no tuning applied to see that. There isn't a field in the rule that specifies whether it is enabled by default or not.

It really comes down to your network and what you want to alert on.

[security-companion]

Thank you very much, and thanks again for your time.