I’m a newbie and I’m trying to start using Suricata. Basic Suricata configuration is almost done and it is working as expexted. Anyway, I detected a lot of this kind of message in Suricata fast.log:
06/04/2021-19:25:03.460582 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:12.533901 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:12.533931 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:12.534132 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:12.534163 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:13.485194 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:13.485294 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:13.485702 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
06/04/2021-19:25:13.485730 [] [1:2101411:13] GPL SNMP public access udp [] [Classification: Attempted Information Leak] [Priority: 2] {UDP}
How can I exclude this rule in order to avoid these messages?
I tried to use /etc/suricata/disable.conf, but it had no effects… (also after suricata-update and suricata service restart).
When you run Suricata-Update, check where its writing the rules to, you should see something like: 4/6/2021 -- 11:59:59 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 30414; enabled: 22945; added: 165; removed 26; modified: 1244
In your suricata.yaml verify that your default-rule-path and rule-files are configured to load these files.
This should be the defaults if you installed Suricata from source or with the RPM. If you installed Suricata another way, could please describe how?
I’m a little bit confused about the right path to be considered. I see a mix of /etc/suricata/… /var/lib/suricata paths. Also classification.config path is different in suricata.yaml and suricata-update output.
Could you please help me to fix the problem? (I installed suricata using YUM).
Thank you in advance.
Mauro
In addition, please note that in /etc/suricata/rules I can find all the rules mentioned in yaml file.
I followed this technote in order to integrate suricata with wazuh:
That tech note is quite out of date. It looks like you found our repos for Suricata 6 instead of using the repo listed there which is good, but the suricata.yaml there is probably out of date as well. At the very least you’ll need to update the default-rule-path and rule-files sections in /etc/suricata/suricata.yaml if you wish to use Suricata-Update to look something like this:
So, suricata.yaml file is up-to-date and disable.conf file works as expected!
In addition, following the instructions contained here ET OPEN Ruleset Download Instructions , I added the emerging rules to /usr/share/suricata/rules folder and I executed suricata-update.
But I noticed that these added rules are not mentioned (loaded) in the suricata-update output. Is it normal?
After a default install of Suricata, ET/Open rules are enabled by default. You should not download them to /usr/share/…
Instead just run suricata-update, by default it will download the ET/Open rules and output them to /var/lib/suricata/rules/suricata.rules applying any changes you may have configured in /etc/suricata/disable.conf, /etc/suricata/enable.conf, etc.
No problem. In the last 2 years we’ve made strides to make the default installation much easier to get going with… However, 3rd party documentation appears to lag behind as expected. Are you a user of Wazuh? Its a popluar enough project that I should maybe consider getting their documentation up to date.