The section defining rule files in your Suricata configuration should be structured as follows:
rule-files:
- suricata.rules
- additional.rules
# - ioc_url.rules
# - ioc_ip.rules
# - ioc_domain.rules
In addition to the default file (suricata.rules
), several other files can be included.
About additional.rules
The additional.rules
file is designed to contain custom rules in the following format:
#drop dns $HOME_NET any -> any any (msg:"Oculus Universal DNS Query to universal media Malicious FQDN"; dns.query; dataset:isset, universal.blst, type string, load /var/lib/suricata/universal.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000001; rev:1;)
#drop dns $HOME_NET any -> any any (msg:"Oculus Porno DNS Query to porn media Malicious FQDN"; dns.query; dataset:isset, porno.blst, type string, load /var/lib/suricata/porn.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000002; rev:1;)
#drop dns $HOME_NET any -> any any (msg:"Oculus Social DNS Query to social media Malicious FQDN"; dns.query; dataset:isset, social.blst, type string, load /var/lib/suricata/social.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000003; rev:1;)
#drop dns $HOME_NET any -> any any (msg:"Oculus Fakenews DNS Query to fakenews media Malicious FQDN"; dns.query; dataset:isset, fakenews.blst, type string, load /var/lib/suricata/fakenews.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000004; rev:1;)
#drop dns $HOME_NET any -> any any (msg:"Oculus Gambling DNS Query to gambling media Malicious FQDN"; dns.query; dataset:isset, gambling.blst, type string, load /var/lib/suricata/gambling.blst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:2000005; rev:1;)
Purpose of These Rules
The rules in additional.rules
serve to block and monitor DNS queries targeting specific categories of websites, such as:
- Social Media
- Adult Content
- Fake News Sources
- Gambling Sites, and more.
By doing so, these rules enhance your network’s security posture by preventing malicious or unwanted activities.
Integration with Suri Oculus
- Enabling/Disabling Rules: These rules can be activated or deactivated directly through the Suri Oculus management system.
- Dataset Updates: The required datasets (e.g.,
universal.blst
,porn.blst
, etc.) are updated using Oculus tools, ensuring your rule base is always up-to-date.
About IOC Files
- Files like
ioc_url.rules
,ioc_ip.rules
, andioc_domain.rules
are generated and integrated into Suricata via the Suri Oculus system. - These rules are based on threat intelligence data from the IOC (Indicators of Compromise) database, ensuring your configuration is aligned with the latest threat intelligence.
By properly configuring and maintaining these files, you ensure that Suricata remains an effective Intrusion Detection and Prevention System (IDS/IPS) tailored to your specific security needs.