Talos ruleset syntax

[wompRS]

I am attempting to move to the Talos ruleset from the default Suricata ruleset as I have access to an oinkcode. I will also be moving to ET Pro later in the year once a license is secured, however, I am interested in the syntax for this. In the documents it says to change the idstools: subfield "ruleset" to 'ETPRO'. This is the resolution for the ET Pro subscription, sure. What is the naming convention for the Snort/Talos ruleset, though?

[weslambert]

IIRC, it should be TALOS.

[wompRS]

TALOS does work, however, the ruleset does not end up actually creating alerts.

Here is the workflow:

1. Change managersearch.sls to "TALOS" under IDSTOOL > Ruleset
2. run "sudo salt * system.reboot"
3. run "sudo salt * state.highstate"
4. run "sudo so-rule-update"
   At this point the rules update successfully, grabbing the Snort ruleset. I can see that it enables 10,000 or so of the 50,000 rules.

After this nothing occurs in the alert center. No rules are being processed and alerting. When I move back to the ETOPEN ruleset everything works as normal. I saw another thread about this and the person was having the same issue as I am.

[dougburks]

First, please note that the TALOS ruleset includes some Shared Object rules which will only work with Snort and not Suricata:
https://docs.securityonion.net/en/2.3/rules.html#snort-subscriber-talos

Of the remaining rules that are not Shared Object rules, it's possible that there are some that are disabled by default that you may have to manually enable.

[wompRS]

I understand that some rules won't work with Snort, however, there doesn't seem to be any documentation on getting Snort turned on in SO (as it is not a feature). The ruleset defaults to having 80% of the rules turned off by default. I manually turned all of the rules on in the local.rules file and it starts lighting up alerts, however, every time the ruleset updates it disables those rules. What is the best way to enable all of the rules via so-rule enabled add so that it does not keep disabling everything? I can't determine if there is even a possibility of doing that or if it must be done manually for all 40k rules.

…

On Tue, Oct 12, 2021 at 4:50 AM Doug Burks ***@***.***> wrote: First, please note that the TALOS ruleset includes some Shared Object rules which will only work with Snort and not Suricata: https://docs.securityonion.net/en/2.3/rules.html#snort-subscriber-talos Of the remaining rules that are not Shared Object rules, it's possible that there are some that are disabled by default that you may have to manually enable. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5737 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACDILT526O6OGLJOAYE4XIDUGQOHNANCNFSM5FE7WQBQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[dougburks]

so-rule allows you to enable via regex, so it seems like you should be able to use a regex to enable all rules:
https://docs.securityonion.net/en/2.3/managing-alerts.html#so-rule

[wompRS]

Thanks Doug! Sorry for wasting your time, I was just having a brain fart. re: enabled all of the rules necessary.

…

On Wed, Oct 13, 2021 at 6:27 AM Doug Burks ***@***.***> wrote: so-rule allows you to enable via regex, so it seems like you should be able to use a regex to enable all rules: https://docs.securityonion.net/en/2.3/managing-alerts.html#so-rule — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5737 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACDILT4R7GM7Y4767UMRVELUGWCNFANCNFSM5FE7WQBQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.