Hello, I recently changed the gid numbers of my rules, which from what I read in the docs, has no technical implications. However, this completely messed up the way the alerts are being parsed by logstash and displayed in kibana. instead of the alert message I just get [gid:sid:rev]. I did post this question in the logstash forum, too. I’ve just found such little info about modifying gid numbers I wanted to broaded the audience of this question in case someone out there can help. Thanks!
Can you paste examples so we can debug that?
Sure! So here’s a standard suricata rule:
reject http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pw domain"; flow:established,to_server; content:".pw"; fast_pattern; http_host; isdataat:!1,relative; content:!"u.pw"; depth:4; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2016777; rev:12; metadata:created_at 2013_04_19, updated_at 2019_09_28;)
You can see there is no gid number specified, which according to the docs defaults at 1 if it isn’t specified. The docs say, “The gid keyword can be used to give different groups of signatures another id value (like in sid). Suricata uses by default gid 1. It is possible to modify this. It is not usual that it will be changed, and changing it has no technical implications.”
https://suricata.readthedocs.io/en/suricata-4.0.4/rules/meta.html
Before I altered the gid number, if that alert went off I would see the alert message in my kibana dash board. It would say, “ET INFO HTTP Request to a *.pw domain” so I would know right away this was a .pw alert. So I went in and changed the gid to, 22222222. Once I did that, all I got on my kibana dashboard was, “[snort alert 22222222:2016777:12]”. So then I have to go look up the rule to see what the alert is about, because it’s no longer displaying the alert msg from the rule.
Logstash does it’s parsing from the conf files in /logstash/conf.d. The only line I can find in my suricata.conf file that refers to the gid number is this line:
add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
}
So in that code snippet, lostash is using the gid number plus the sid number to go to snort.org and look up the rule. So, I was thinking that maybe kibana is displaying an alert msg that it’s pulling off of snort.org? So I replace the above line with this line,
add_field => [ “signature_info”, “https://www.snort.org/search?query=1-%{[alert][signature_id]}” ]
}
But it didn’t make any difference . I still was only getting, “[snort alert 22222222:2016777:12]” in my dashboard.
I don’t know the language that the conf file was written in, maybe ruby? So maybe when I just replaced that %{[alert][gid]} with a 1, I messed something up? Or maybe there’s another default conf file I need to dig into? I don’t know.
It almost looks like alert descriptions are being looked up in a sid-msg.map style file, and failing so some default description is generated. Just a thought, I’m not sure how one would go about actually finding that out or not, as its probably specific to your setup.
Thanks! I’ll look for map files. Couldn’t hurt!