Scirius Community Edition is a web interface dedicated to Suricata ruleset management. It handles the rules file and update associated files.

Scirius CE is developed by Stamus Networks and is available under the GNU GPLv3 license.

Scirius CE is an application written in Django. You can install it like any other Django application.

The following procedure has been tested on Debian Wheezy and Sid and Ubuntu LTS 12.04.

Scirius CE is using the following Django modules:

• tables2
• south
• bootstrap3
• requests
• revproxy

The easy way to install the dependencies is to use pip:

On Debian, you can run

aptitude install python-pip python-dev

You can then install django and the dependencies

pip install -r requirements.txt

To use the suri_reloader script which is handling suricata restart, you will also need pyinotify

pip install pyinotify

It has been reported that on some Debian system forcing a recent GitPython is required

pip install gitpython==0.3.1-beta2

You will also potentially needs the gitdb module

pip install gitdb

Get the source, then inside the source

python manage.py syncdb

Authentication is by default in scirius so you will need to create a superuser account when proposed.

One of the easiest way to try Scirius CE is to run the Django test server

python manage.py runserver

You can then connect to localhost:8000.

If you need the application to listen to a reachable address, you can run something like

python manage.py runserver 192.168.1.1:8000

Scirius CE is generating one single rules files with all activated rules. When editing the Suricata object, you have to setup the directory where you want this file to be generated and the associated files of the ruleset to be copied.

Scirius CE won't touch your Suricata configuration file aka suricata.yaml. So you have to update it to point to the directory where data are setup by Scirius CE. If you are only using rules generated by Scirius CE, you should have something looking like in your suricata.yaml file

default-rule-path: /path/to/rules
rule-files:
 - scirius.rules

To interact with Scirius CE, you need to detect when /path/to/rules/scirius.reload file are created, initiate a reload or restart of Suricata when it is the case and delete the reload file once this is done.

One possible way to do that is to use suri_reloader available in suricata/scripts directory. The syntax of suri_reloader can be something similar to

suri_reloader -p /path/to/rules  -l /var/log/suri-reload.log  -D

Use -h option to get the complete list of options. Please note that suri_reloaded uses the service command to restart or reload Suricata. This means you need a init script to get it working.

If you are using Suricata with Eve logging and Elasticsearch, you can get information about signatures displayed in the page showing information about Suricata:

You can also get graph and details about a specific rule:

To setup Elasticsearch connection, you can edit settings.py or create a local_settings.py file under scirius directory to setup the feature. Elasticsearch is activated if a variable names USE_ELASTICSEARCH is set to True in settings.py. The address of the Elasticsearch is stored in the ELASTICSEARCH_ADDRESS variable and uses the format IP:port.

For example, if your Elasticsearch is running locally, you can add to local_settings.py

USE_ELASTICSEARCH = True
ELASTICSEARCH_ADDRESS = "127.0.0.1:9200"
ELASTICSEARCH_VERSION = 2 # In 1, 2, 5 set depending on ES major version

Please note, that the name of the Suricata (set during edition of the object) must be equal to the host key present in Elasticsearch events. It can also be edited here: scirius -> suricata -> edit.

On logstash side, the only necessary thing is to make sure that the @timestamp is equal to the timestamp value provided in Suricata events. To do so and if you Suricata events are of type SELKS on can use

filter {
  if [type] == "SELKS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }
}

This is necessary to avoid glitch in the graphics generated by Scirius CE.

If you are using Kibana, it is possible to get links to your dashboards by clicking the top left icon:

To activate the feature, you need to edit your local_settings.py file:

KIBANA_URL = "http://localhost/"
USE_KIBANA = True

Scirius CE is using authentication by default. You will need a superuser to be able to create and edit users for scirius. syncdb should have created one for you. If it is not the case, you can run from Scirius CE base directory

python manage.py createsuperuser

The base directory is the directory where scirius sources have been extracted. If you are using SELKS this is /opt/selks/scirius.

You will then be able to connect using the provided credentials.

Permissions system is basic:

• Superuser can edit and create users
• Staff members can do change on rulesets and suricata

This allows to have three useful levels for users:

• Read-only: no flag set
• Staff member: with staff flag set, they can update rulesets and suricata
• Super user: flags staff and superuser set, they can do anything

All actions done in ruleset management are logged. It is possible to access their history by using `Actions history`_ in the Stamus icon menu.

Optional comment are available for each action to allow users to interact with each other.

A Ruleset is made of components selected in different Sources. A Source is a set of files providing information to Suricata. For example, this can EmergingThreats ruleset.

To create a ruleset, you thus must create a set of Sources and then link them to the ruleset. Once this is done, you can select which elements of the source you want to use. For example, in the case of a signature ruleset, you can select which categories you want to use and which individual signature you want do disable.

Once a Ruleset is defined, you can attach it to your Suricata. To do that simply edit the Suricata object and choose the Ruleset in the list.

To create a Source go to Sources -> Add (Add being in the Actions menu in the sidebar). Then set the different fields and click Submit.

A source of datatype Signatures files in tar archive has to follow some rules:

• It must be a tar archive
• All files must be under a rules directory

For example, if you want to fetch ETOpen Ruleset for Suricata 2.0.1, you can use:

• Name: ETOpen Ruleset
• URI: https://rules.emergingthreats.net/open/suricata-2.0.1/emerging.rules.tar.gz

A source of datatype Individual signature files has to be a single file containing signatures.

For example, if you want to use SSL blacklist from abuse.ch, you can use:

• Name: SSLBL abuse.ch
• URI: https://sslbl.abuse.ch/blacklist/sslblacklist.rules

To update a Source, you first need to select it. To do that, go to Sources then select the wanted Source in the array.

You can then click on Update in the menu in the sidebar. This step can take long as it can require some download and heavy parsing.

Once updated, you can browse the result by following links in the array.

To create a Ruleset go to Ruleset -> Add (Add being in the Actions menu in the sidebar). Then set the name of the Ruleset and choose which Sources to use and click Submit.

To update a Ruleset, you first need to select it. To do that, go to Ruleset then select the wanted Ruleset in the array.

You can then click on Update in the Action menu in the sidebar. This step can take long as it can require download of different Sources and heavy parsing.

To edit a Ruleset, you first need to select it. To do that, go to Ruleset then select the wanted Ruleset in the array.

You can then click on Edit in the Action menu in the sidebar.

There is now different operations available in the Action menu

• Edit sources: select which sources of signatures to use in the Ruleset
• Edit categories: select which categories of signatures to use in the Ruleset
• Add rule to suppressed list: if a rule is in this list then it will not be part of the generated Ruleset
• Remove rule from suppressed list: this remove a rule from the previously mentioned list thus reenabling it in the Ruleset

To select which Sources to use, just select them via the checkbox and click on Update sources. Please note that selecting categories to enable is the next step in the process when you add a new source.

To select which Categories to use, just select them via the checkbox and click on Update categories.

Use the search field to find the rule(s) you want to remove, you can use the SID or any other element in the signature. Scirius CE will search the entered text in the definition of signature and return you the list of rules. You will then be able to remove them by clicking on the check boxes and clicking on Add selected rules to suppressed list.

To remove rules from suppressed list, simply check them in the array and click on Remove select rules from suppressed list.

Suricata features one thresholding system. It allows to change the behavior of a given alert. There is currently two different operations supported by Scirius CE:

• Suppress: suppress alert for a signature when IP source or IP destination is in a defined range
• Threshold: limit the number of alert for a signature by specifying a number of alert for a time range or a minimum of alerts in a time range before alerting

Both operations can be accessed via a rule page. Clicking on a arrow down in the Source or Destination IP table will open a page where it is possible to add a Threshold. By clicking on the cross, a Suppress operation can be added.

The list of Threshold and Suppress for a rule can be seen from the Rules info tab.

Threshold and Suppress are bound to a Ruleset. You can see all the defined ones from the Ruleset page.

To suppress or edit a Threshold or a Suppress, simply click on the displayed ID. Then select Edit or Delete in the left menu.

Rule transformation allows the action of a particular rule to be changed - to drop, reject or filestore. Please note these actions requires advanced knowledge about rules and the rule keywords language.

Once you have a particular rule that you would like to transform - in the rule's details page on the left hand side panel under Actions click Transform rule. You will be presented with a few choices:

• Type of transformation to choose form:

  drop - (IPS mode) will convert the rule from alert to drop - aka IPS mode needs to be explicitly set up and configured before hand.

  reject - (IDPS/hybrid) will convert the rule from alert to reject meaning that when triggered a RST/or dst unreachable packets will be send to both the src and dst IP.

  filestore - will convert those rules only that have protocols allowing for file extraction - for example alert http... or alert smtp

• Choose a ruleset you wish the newly transformed rule to be added/registered in.

NOTE: A particular rule can be transformed only once.

NOTE: For using the drop functionality you need to have a valid IPS setup.

After you make the desired selection you can add in a comment for the purpose of accountability and click on Valid. You will have the details about the transformed rule in the Information tab. You can review and confirm the transformation and the ruleset it is add in alongside any comments.

Only rules that are active can be transformed. If a rule is not active in a particular ruleset it will not have the transformation or suppress/threshold options available on the left hand side panel. To make it active you can toggle the availability of that rule by clicking on the Toggle availability option on the left hand side panel menu.

The history tab of the rule details page will have any comments and changes to the transformed rule for traceability.

After the transformation is done the ruleset(s) that contain the new transformed rule need to be pushed to the remote devices in order for the rule to be deployed. That can be accomplished either through a manual or scheduled ruleset push as explained in Updating Suricata ruleset.

To update Suricata ruleset, you can go to Suricata -> Update (Update being in the Actions menu). Then you have to select which action you want to do:

• Update: download latest version of the Sources used by the Ruleset
• Build: build a Suricata ruleset based on current version of the Sources
• Push: trigger a Suricata reload to have it running with latest build ruleset

You can also update the ruleset and trigger a Suricata reload by running

python manage.py updatesuricata

Suricata can be used in IDS and IPS mode. Traditional sources don't come with ready to use rules for IPS and the user has to setup his IPS ruleset by transforming the rules that he wants to be blocking before loading them info Suricata. The basic transformation is to change the alert keyword to drop. But it is also possible to use the reject method.

Scirius allows you to do these modifications for a complete category or for a single rule. The rule modification has priority so it is possible to remove the transformation from a rule belonging to a category with transformation enable.

As Suricata allows you to store file transferred on alert, it is also possible to add the filestore option to a rule thus enabling you to store on disk file triggering a specific alert.

Once transformations are created, the ruleset will be generated with transformed rules.

To transform a category, you can go to the category page, then in the left sidebar, click on Transform category and choose one transformation and the rulesets to apply it.

These transformations are exclusive: for example it is not possible to drop and filestore at the same time so you need to choose from the list of transformations.

To transform a rule, you can go to the rule page, then in the left sidebar, click on Transform rule and choose one transformation and the rulesets to apply it.

To start a backup, run

python manage.py scbackup

To restore a backup and erase all your data, you can run

python manage.py screstore
python manage.py migrate

This will restore the latest backup. To choose another backup, indicate a backup filename as first argument. To get list of available backup, use

python manage.py listbackups

You can not restore a backup to a scirius which is older than the one where the backup has been done.

With default configuration file, the backup is done on disk in /var/backups but other methods are available. As Scirius CE is using django-dbbackup application for backup and restore procedures, it benefits from all available methods in this application. This includes at least:

• FTP
• Amazon AWS
• Dropbox

Please see django-dbbackup configuration for more information on available methods and on their configuration.