A programmatic solution for dealing with Suricata ruleset curation.
Summary
Are you overwhelmed with Suricata alerts? Do you regularly spend time curating rulesets, tuning rules to deal with false positives, and weeding out unneeded rules? Aristotle v2 was created to bring a programmatic solution to the the process of parsing, analyzing, enhancing, updating, and filtering Suricata rules in order to reduce false positives and help ensure that appropriate IDS alerts receive proper attention.Today, an Uber Engineering blog post came out that discusses how Uber’s Cyber Defense team programmatically manages network IDS rulesets, augments alerts for correlation, and open-sourced the code they use to do it (Aristotle v2): https://www.uber.com/blog/network-ids-ruleset-management-with-aristotle-v2/
Background
Aristotle v1 was released in 2019 and discussed in a SuriCon talk in Amsterdam; it allows users to “filter” (enable or disable) rules based on metadata key-value pairs. By using a concrete boolean algebra, “filter strings” can be defined to control rule selection. This can be quite powerful, but the usefulness of Aristotle v1 is limited by the richness (or rather, lack thereof) of the metadata in the provided rules, something controlled by ruleset vendors and onerous to maintain manually. Since most ruleset vendors do not provide comprehensive metadata and/or do not have metadata with the precision and consistency needed for accurate programmatic filtering, something more than Aristotle v1 is needed.
Aristotle v2 adds support for programmatic metadata normalization and enhancement as well as the option to further filter and modify the ruleset after normalization, enhancement, and initial filter string application. This is known as PFMod (Post Filter Modification) and allows for the identification of rules based on filter strings, and then particular “actions” taken on those rules, including the ability to add/delete metadata, enable/disable rules, set priority, and do a regular expression based “find and replace” on the full rule.
Aristotle v2 and Suricata-Update
Some may wonder how Aristotle v2 compares to Suricata-Update. While there is overlap in functionality, Aristotle v2 isn't intended to compete with Suricata-Update. Suricata-Update provides functionality that Aristotle does not, such as ruleset downloading and compiling, while Aristotle v2 offers more powerful rule filtering and modification capabilities than Suricata-Update. In fact, one common use case is to use them together in sequence--Suricata-Update for ruleset download and amalgamation (and perhaps some simple filtering), and then Aristotle v2 for more advanced normalization, enhancement, filtering, and rule modification.Links
Uber Engineering Blog Post: https://www.uber.com/blog/network-ids-ruleset-management-with-aristotle-v2/
Aristotle v2 code: https://github.com/secureworks/aristotle
Aristotle v2 docs: https://aristotle-py.readthedocs.io/
Aristotle on PyPi: https://pypi.org/project/aristotle/