View Categories

Rules management Tab

Sergey
Updated on July 18, 2024

Suricata Rule Management Tab #

Welcome to the Suricata Rule Management Tab. This Tab provides comprehensive tools for managing and manipulating Suricata rules through a web interface. The system allows for viewing, editing, adding, and removing Suricata rules effectively and safely.

System Overview #

The Rule Management System utilizes a backend service to interact with Suricata rules stored in a specified rules file. The system features include rule validation, creation, modification, and deletion. Additionally, it supports querying rules by various parameters such as action, protocol, and status.

Key Features #

  1. Viewing Rules:

    • Retrieve a paginated list of rules or specific rules by SID, action, status, or protocol.

    • Usage: Send a GET request to the appropriate endpoint (/rules, /rules/by_sid/{sid}, /rules/by_action/{action}, /rules/by_status/{status}, /rules/by_protocol/{proto}).

  2. Adding Rules:

    • Add new rules to the system, with validation to ensure they are correct before inclusion.

    • Usage: Send a POST request to /rules/add with the rule content in JSON format.

  3. Editing Rules:

    • Modify existing rules. The system validates the new rule to ensure it is correct and updates it in the rule file.

    • Usage: Send a PUT request to /rules/update with both the old and new rule content in JSON format.

  4. Deleting Rules:

    • Remove rules from the system. This feature ensures that the rule is removed from the rule file safely.

    • Usage: Send a DELETE request to /rules/delete with the rule content to be removed in JSON format.

  5. Rule Validation:

    • Validate rules using Suricata to ensure they are syntactically and semantically correct.

    • Usage: Send a POST request to /rules/validate with the rule content.

  6. Reloading Rules:

    • Reload the Suricata rules without restarting the service, supporting both blocking and non-blocking operations.

    • Usage: Use /rules/reload for blocking reload and /rules/reload_nonblocking for non-blocking.

  7. Rule Status Toggling:

    • Enable or disable rules directly by toggling the comment status of rule lines.

    • Usage: Send a POST request to /rules/toggle with the rule content.

CORS Support #

  • All HTTP responses include CORS (Cross-Origin Resource Sharing) headers, allowing the system to be accessed from various clients across different domains.

Error Handling #

  • The system provides detailed error messages in the HTTP response to assist in diagnosing issues during rule management operations.

Configuration and Setup #

  • System configuration is managed through a configuration file (config++.conf), which includes settings for paths to the rule file and other operational parameters.

Integration Tips #

  • Ensure that your client application handles JSON responses properly, as all communications with the backend are in JSON format.

  • Regularly backup your rules file to prevent data loss during rule management operations.

This user guide aims to provide you with all the necessary information to use the Suricata Rule Management System effectively. Whether you are integrating it into an existing system or using it as a standalone service, the tools provided will help maintain and manage your Suricata rules efficiently.

Rules Tab. Top

Search by SID (Security ID):

  • SID Input Field: Users can enter the unique identifier of a rule (SID) to search for a specific rule.

  • “Search by SID” Button: Initiates the search for a rule based on the entered SID.

  • “Search Duplicated SIDs” Button: Searches for duplicate rules with the same SID.

Search by Action:

  • Action Dropdown List: Allows users to select a rule action, such as alert, drop, pass, etc., to filter rules.

  • “Search by Action” Button: Initiates the search for rules based on the selected action.

Search by Protocol:

  • Protocol Dropdown List: Allows users to select a protocol, such as TCP, UDP, HTTP, and others, to filter rules by traffic type.

  • “Search by Protocol” Button: Initiates the search for rules based on the selected protocol.

Search by Status:

  • Status Dropdown List: Allows users to select a rule status, such as enabled or disabled.

  • “Search by Status” Button: Initiates the search for rules based on the selected status.

General Rule Actions:

  • “Show Rules” Button: Displays all rules.

  • “General Search” Button: Initiates a general search for rules based on parameters.

  • “Add Rule” Button: Opens a modal window for adding a new rule.

  • “Delete Rule” Button: Deletes the selected rule.

  • “Update Rule” Button: Opens a modal window for editing and updating the selected rule.

  • “Toggle Rule Status” Button: Toggles the status of the selected rule between enabled/disabled.

  • “Clear Fields” Button: Clears all input fields on the tab.

Rules Tab. Bottom

Additional Elements:

  • Rule Display Area (ruleContent): Displays search results or the list of rules.

  • Pagination: “Previous” and “Next” buttons for navigating through result pages. Shows the current page (currentPage).

  • Page Size Selection (pageSizeSelect): Allows users to select the number of rules displayed per page (10, 20, 30).

  • Rule Details (ruleDetails): Displays detailed information about the selected rule.

More about suricata rules.

About threats management.