Threat Assessment Rules

The CloudShark Threat Assessment addon is installed with an initial set of the Emerging Threats Open rules. By default these rules are never updated after the initial installation of the addon. Customers with the Threat Assessment addon may have rules that they have developed or purchased themselves that can be used with CloudShark.

Configuration files

CloudShark uses the configuration files in /etc/suricata/ to determine the rules and variable settings used during a threat assessment. Suricata is used behind the scenes to generate threats based on the traffic in the capture file.

 

Suricata-Update

Suricata-Update is a tool bundled with Suricata that may be used to download new rules for threat assessment. The command to download and update the Emerging Threats Open rules that were initially installed with CloudShark is:

suricata-update

Additional Rules

Suricata-Update can download rules from additional sources such as the ET Pro Ruleset. To view what sources can be used for new rules run the commands:

suricata-update update-sources
suricata-update list-sources

Additional sources can be enabled by running:

suricata-update enable-source <source>

Some rulesets such as the ET Pro Ruleset mentioned above may require a subscription and this command will prompt for an access code.

Caching

CloudShark runs the capture through Suricata once and then caches the result which gets returned on subsequent requests without rerunning the capture through Suricata.

After any changes to the configuration or rules to rerun Suricata the service can be restarted by running the following command:

 systemctl restart cloudshark-threat-assessment

Then when a users requests a threat assessment the capture will be rerun using any new rules or configuration changes to Suricata.