I want to apply different suricata rules to different foward nodes in a distributed architecture.

[89sooner]

I want to apply different suricata rules to different foward nodes in a distributed architecture.

I have a distributed architecture and the foward nodes are collecting traffic from different network bands. How can I apply different suricata rules in this case? Thanks in advance for your response.

[InfosecGoon]

The suricata rules are maintained and modified by idstools on the Manager node, and then replicated to all of the forward nodes by salt. There's no built-in functionality that will tweak the rules sent to individual forward nodes.

[TOoSmOotH]

You can use thresholding to accomplish the same end result as different rulesets as well as setting your vars correctly for suricata.

[89sooner]

Does this mean I can use thresholds to deploy rules to different nodes? I've checked the link you provided and it doesn't give me an answer, could you give me an example?

[89sooner]

Am I correct in understanding that if I set a thresholding for sid in each minion pillar, it will be different if sid is deployed to all forward nodes in manager?

[TOoSmOotH]

You can threshold it in global or target sensors. Don't think about your network as a bunch of different sensors but one network.

Example:

DMZ IP range 10.10.10.0/24
LAN IP range 10.20.0.0/16
VPN IP range 10.30.0.0.16

Let's say you have a portscan alert with a sid of 123 and you want to know internally if you are seeing portscans but its a bunch of noise on the DMZ network because the internet is going to internet. You would suppress src 0.0.0.0/0 dst 10.10.10.0/24 sid 123

Doing that you have essentially disabled that rule for any sensor that sees DMZ traffic. Now let's say you have 20 different DMZ ranges. You can create a $DMZ var that has the list of all your DMZs and you can change your suppress threshold to be src 0.0.0.0/0 dst $DMZ sid 123.

I personally prefer to do this in global so that all my sensors run the same threshold but it can also be done per sensor. That way if a sensor sees both LAN and DMZ it would still suppress the alerts.

[89sooner]

Thank you very much for the detailed explanation. I will take note and try to configure it.