Customize your Suricata IDS Rules per Cluster

The Emerging Threats Open Suricata Ruleset file contains 35,000 IDS Rules as of today, These rules, crafted by a team of experts over many years, certainly deliver value in protecting networks. However, it’s certain that you do not need all of them enabled in your network.

These 35,000+ rules are designed to detect attacks across various types of networks, services, and applications—most of which, hopefully, are not present in your network. While large numbers might sound impressive, the perceived security they offer and the reality of their effectiveness can differ significantly, remember, your feeling of security and the reality of it are different.

Consider a typical Windows environment with an Active Directory, hundreds of client machines, and several mail/DNS/fileshare servers. A quick search in our demo instance for the word “windows” (which appears in various tags like the affected_product tag) yields about 7,000 rules out of the 40,000+ available. This is less than 20% of the published rules.

Why Bother Tuning IDS Rules?

Increased false positives

One of the most challenging aspects of detection engineering is achieving an acceptable level of false positives in your detection alerts. We use “acceptable” because aiming for zero false positives is unrealistic, especially in modern networks with hundreds of different softwares, services, domains, and IPs being active.

You should aim for an acceptable level of false positives that prevents alert fatigue from affecting your SOC team, while enabling as many rules as make sense. Remember, the number of enabled rules and the number of false positives tend to increase together.

Performance degradation

Modern day servers have substantial computational power, thanks for Moore’s law (or what’s left of it!), the growth in network traffic and the number of detection rules have been substantial as well, and although Suricata have many performance tuning knobs, the simplest trick of all is to enable fewer rules.

The more Suricata rules you enable -especially if not finely tuned (e.g., enabled for specific types of traffic)- the more detection logic Suricata must run for each network packet it processes, and there are many.

Expensive Hardware

This point is quite linked to the previous one. The less performant your Suricata cluster, the more hardware you need to keep up with the throughput. This matters to people who handle budgets, namely your manager, or whoever has to request funding.

It costs real money to deploy that extra server in your Suricata cluster. Disabling irrelevant rules that do not provide value to your detection layers helps you save on hardware resources for the more crucial tasks.

How IDSTower can help

All of the above makes sense, but now imagine running multiple Suricata clusters, each covering a different network, and a different set of servers, services, and software (e.g., one for your DMZ and another for your clients’ Windows machines). Managing a dedicated ruleset for each cluster quickly becomes a headache.

The best way to solve this is to have a master ruleset and selecting subset of it to be deployed selectively (if needed) to clusters, and that is exactly what we have added the latest version of IDSTower.

This feature allows you to maintain a master list of IDS Rules (sourced from feeds, manual uploads, or even local teams) and selectively configure individual rules to be deployed to:

  • All Clusters
  • Selected Clusters (e.g., DMZ & Internal Applications only)
  • All Clusters except certain ones (e.g., deploy this rule to all clusters except the clients’ machines cluster)

IDSTower takes care of maintaining the master list through its Rule-Life-Cycle management feature, enabling you to activate rules as needed, reduce false positives by disabling noisy and irrelevant rules from incompatible Suricata clusters, and potentially save on hardware!

Feel free to see this feature in action by visiting our demo instance, or get your free IDSTower license and try it out!

If you are interested in learning more about how IDSTower can enhance your network security operations, please explore the Features that IDSTower offers, or drop us an email to arrange a demo.