View Categories

Important Notice About Configuration

Sergey
Updated on December 18, 2024

The section defining rule files in your Suricata configuration should be structured as follows:

rule-files:
- suricata.rules
- additional.rules
# - ioc_url.rules
# - ioc_ip.rules
# - ioc_domain.rules

In addition to the default file (suricata.rules), several other files can be included.

About additional.rules #

The additional.rules file is designed to contain custom rules in the following format:

#drop dns $HOME_NET any -> any any (msg:"Oculus Universal DNS Query to universal media Malicious FQDN"; dns.query; dataset:isset, universal.blst, type string, load /var/lib/suricata/universal.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000001; rev:1;)
#drop dns $HOME_NET any -> any any (msg:"Oculus Porno DNS Query to porn media Malicious FQDN"; dns.query; dataset:isset, porno.blst, type string, load /var/lib/suricata/porn.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000002; rev:1;)
#drop dns $HOME_NET any -> any any (msg:"Oculus Social DNS Query to social media Malicious FQDN"; dns.query; dataset:isset, social.blst, type string, load /var/lib/suricata/social.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000003; rev:1;)
#drop dns $HOME_NET any -> any any (msg:"Oculus Fakenews DNS Query to fakenews media Malicious FQDN"; dns.query; dataset:isset, fakenews.blst, type string, load /var/lib/suricata/fakenews.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000004; rev:1;)
#drop dns $HOME_NET any -> any any (msg:"Oculus Gambling DNS Query to gambling media Malicious FQDN"; dns.query; dataset:isset, gambling.blst, type string, load /var/lib/suricata/gambling.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000005; rev:1;)

Purpose of These Rules #

The rules in additional.rules serve to block and monitor DNS queries targeting specific categories of websites, such as:

  • Social Media
  • Adult Content
  • Fake News Sources
  • Gambling Sites, and more.

By doing so, these rules enhance your network’s security posture by preventing malicious or unwanted activities.

Integration with Suri Oculus #

  • Enabling/Disabling Rules: These rules can be activated or deactivated directly through the Suri Oculus management system.
  • Dataset Updates: The required datasets (e.g., universal.blst, porn.blst, etc.) are updated using Oculus tools, ensuring your rule base is always up-to-date.

About IOC Files #

  • Files like ioc_url.rules, ioc_ip.rules, and ioc_domain.rules are generated and integrated into Suricata via the Suri Oculus system.
  • These rules are based on threat intelligence data from the IOC (Indicators of Compromise) database, ensuring your configuration is aligned with the latest threat intelligence.

By properly configuring and maintaining these files, you ensure that Suricata remains an effective Intrusion Detection and Prevention System (IDS/IPS) tailored to your specific security needs.