added rule fields #665
added rule fields #665
Conversation
Added rule fields for agent / observer rule based events/actions
added PR id
|
also added "a link to the vendors documentation regarding the rule" to the reference field (e.g. https://www.snort.org/rule_docs/1-50032) Should we have multiple examples? |
unsure @webmat? Also @MikePaquette & @webmat
|
updated descriptions per mikes requests, added rule.reference text to to include vendor references
There was a problem hiding this comment.
Thanks @dainperkins!
Here's my preliminary review. A lot of small nitpicks to clean things up, but also a few important questions.
Please run make on subsequent pushes, I'd like to see this in the docs preview as well :-)
|
|
||
| example: DNS | ||
|
|
||
| - name: ruleset |
There was a problem hiding this comment.
What's the relationship between ruleset and type? Is there a hierarchy there?
There was a problem hiding this comment.
Ruleset is a logical grouping of rules (e.g. a collection of individual rules that are applied to a group for e.g. url filtering or nac policies)
Type is what kind of action does the rule concern itself with, I'm not sure type is necessary across the board.
There was a problem hiding this comment.
per ecs meeting - I'm thinking rule.type can probably be dropped for now.... leaving just ruleset which I can see still being useful for easily visualizing alerts / events related to a group of rules
There was a problem hiding this comment.
Ok, I'm good with dropping .type for now.
Just to be sure we're on the same page, .ruleset is meant to capture a value according to the source of these events?
For example, using this to map Suricata alerts like this one, we would have this?
rule.category="Attempted Information Leak" (from suricata.eve.alert.category)
There was a problem hiding this comment.
Dropped, tho now I am reading the above and thinking maybe we need discrete rulesets (groups of rules/signatures that may apply to e.g. specific networks - e.g. GUEST NET IPS SIGNATURE AND rule.type or rule.category - e.g. "Attempted Information Leak" as they are definitely different things logistically
I think category is more descriptive so I will add that in.
removed vlan pr
@MikePaquette What do you mean by that? We agreed that rule would be at the top level, right? Nesting it under agent + observer would mean we can't analyze both sets of rules together. |
description and error updates per PR discussion
|
|
||
| example: DNS | ||
|
|
||
| - name: ruleset |
There was a problem hiding this comment.
Ok, I'm good with dropping .type for now.
Just to be sure we're on the same page, .ruleset is meant to capture a value according to the source of these events?
For example, using this to map Suricata alerts like this one, we would have this?
rule.category="Attempted Information Leak" (from suricata.eve.alert.category)
fixed spelling, cap., and gram errors. Changes rule.type to be rule.category
There was a problem hiding this comment.
Pretty much ready to merge. I'd love to confirm one thing before, and then I think we're good.
What is the relationship between ruleset and category? Is there a hierarchy there? If so which one is higher? Are both vendor-supplied, or do users do these groupings themselves?
schemas/rule.yml
Outdated
| group: 2 | ||
| short: Fields to capture details about rules used to generate alerts or other events. | ||
| description: > | ||
| Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other events. |
There was a problem hiding this comment.
Nitpick: "or other notable events"?
There was a problem hiding this comment.
I'm good with that, will update today
on the other question - rule.category is, typically, the category of action the rule is alerting on (e.g. "Web Attacks" rulesets would include xss, directory traversal, etc) and you could then apply the "WEB ATTACKS" rule wherever it needed to be applied, instead of enabling each individual rule.
ruleset is a logical configuration which (often times across multiple managed implementations of a solution - e.g. Panorama managing multiple Palo Altos) combines rules into a single logical set (e.g. on the GUEST NETWORK apply the GUEST rule.ruleset which includes [blocks DNS-over_TLS, blocks nsfw/guns/and competitors web sites, limits bandwidth, etc.)
There was a problem hiding this comment.
So ruleset is a wider grouping than category? Or are these orthogonal?
There was a problem hiding this comment.
orthogonal...
Ruleset is localized configuration/implementation specific (as in apply ruleset MY_RULES to this subnet / vlan / group) where MY_RULES have been defined to include e.g. 10 discrete rules.
Category is a grouping of rules by type (think Mitre technique or vulnerable system type)
updated rule short & long descriptions
| type: keyword | ||
| short: Rule description | ||
| description: The description of the rule generating the event. | ||
| example: Block requests to public DNS over HTTPS / TLS protocols |
There was a problem hiding this comment.
I'm assuming the plan was to do a subsequent PR with the corresponding #680 changes that likely ought to be added?
There was a problem hiding this comment.
Yeah the default text indexer would be useful here, but we should do another round later.
Added rule fields for agent / observer rule based events/actions
Closes #598