[Oisf-devel] Draft Response to Victor

Anoop Saldanha anoopsaldanha at gmail.com
Wed Jun 3 07:56:02 UTC 2015 

On Tue, Jun 2, 2015 at 11:08 PM, John Griffith <jgriffit at bbn.com> wrote:
> OK, then have we got a deal for you.
>
> The bottom line is we are tasked with providing this integration. A goal of
> the project I am on is to distribute rules via TAXII to subscribing Suricata
> hosts, then adding those new rules to the running Suricata instance on that
> host. We would like to do so without disturbing the detection engine already
> running so the instance wouldn't lose any state.
>
> A stated goal of the project is the delivery of the changes we are making to
> the Suricata code base for your review and - if you so determine -
> integration. We intend also to put the STIX/TAXII distribution
> infrastructure source up for public use through some yet-to-be determined
> means - possibly GitHub.
>
> The current design uses a daemon on the Suricata host to receive incremental
> sets of rules from one or more trusted distribution sites. The daemon saves
> these rules to a file, then uses the unix socket interface to tell Suricata
> that new rules are available and where they are. Note that only 'NEW' rules
> will be distributed in this fashion.
>
> The unix socket thread has been modified to accept a new 'append-rules'
> command. This command specifies a path to a file that contains the 'new'
> rules, and we are smoke testing a version that does a 'SIGUSR2' rule type
> update - basically the existing 'ReloadRules' functionality with the ability
> to read an additional specified file. This gives us the desired 'external'
> behavior, but we'd like to go further.
>

Yes, this should work fine, with the existing infrastructure.

Another easier way, if you have control over the config file, is to
add a predefined rules file to the yaml file, which we'll call as
"custom.rules", and have the daemon append any new rule to this rules
files, post which it can send a SIGUSR2 to suricata.  You need no
changes in the suricata codebase to support it.

> Once this initial version is working, the next thing we'd like to do is see
> if we can insert the new rules into the existing detection engine without
> reparsing all the other rules or disturbing their current state. The goal
> would be to get the new rules (and only the new rules) parsed, get any
> associated state initialized, and then insert them into the rule list in the
> running detection engine, pausing it only long enough to update the list
> pointers. We do not want to disturb the state of the currently running rules
> and allow them to continue processing packets & flows uninterrupted (or as
> much so as possible).
>

Looks good as well.

> If you (or anyone else) have/has any thoughts or comments on this approach,
> we'd appreciate hearing them. We're still pretty flexible at this point, but
> we intend to pretty much finish up implementation this month...
>
>
> On 6/2/2015 4:59 AM, Victor Julien wrote:
>
> On 05/01/2015 01:35 PM, John Griffith wrote:
>
> I'm working on a project that could use Suricata integrated with STIX
> and TAXII - but I can't find any information other than the announcement
> last May that such an integration had been completed.
>
> Could someone point me in the right direction towards code or a project
> site?
>
> Sadly, this code was never contributed. Doesn't look like it will happen
> anymore either.
>

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

More information about the Oisf-devel mailing list