Rules Transformation Options

Most of Cyber Security Analysts and Security Engineers use a publicly available IDS Ruleset like Emerging Threats, those rulesets are very good and cover a wide range of threats, however, sometimes you need to customize those rules to fit your environment or to improve the detection logic.

If you edit the rules manually, you will need to merge and test those changes into the latest version released by the rules vendor, moreover, if you want to share those rules with your team or with your customers, you will need to document those changes and share them with the team.

IDSTower offers a feature called “Rules Transformation”, this feature allows you to customize\tune the rules to fit your environment, without losing the ability to track those changes or having to merge those changes with the latest version of the ruleset as IDSTower does this automatically.

The Rules Transformation feature allows you to customize the following options:

  • Rule Action: allows you to change the action of the rule, for example, you can change the action from “alert” to “drop” or “reject”.

  • Priority Keyword: allows you to change the priority of the rule, or add it if it doesn’t exist already, more details about the Priority Keyword can be found in Suricata Documentations.

  • Target Keyword: allows you to change the target of the rule or add it if it doesn’t exist already, the target keyword allows the rule writer to add more context about which side of the alert (source or destination) is the target of the attack, this adds more context to the alert, and helps Analysts to understand the alert better.

Moreover, it can be used by analytical tools to generate more insights about alerts, more details.

IDSTower also offers the ability to use heuristics to set the Target Keyword value automatically based on the rule content, this transformation can be enabled or disabled from the settings -> Rules tab, and it is enabled by default.

  • Threshold Keyword: allows you to change the threshold of the rule or add it if it doesn’t exist already, the threshold keyword can be used to control rule’s alerting frequency, more details.

  • Insert Tags Added by User to Rule Metadata Keywords: when enabled, IDSTower will insert the tags added by the user (in Rule Page) to the IDS Rule Metadata Keyword, enabling the rules writers to enrich the generated alerts with more context.

  • Insert IDSTower Rule Id to Rule Metadata Keyword: when enabled, IDSTower will insert IDSTower Rule Id number to the IDS Rule Metadata Keyword, enabling the Analysts to reference the rule in IDSTower for various use cases.

  • Insert IDSTower Rule URL to Rule Metadata Keyword: when enabled, IDSTower will insert IDSTower Rule URL to the IDS Rule Metadata Keyword, Enabling security analysts to quickly access the Rule Page in IDSTower from your alerts viewer (eg: SIEM, ElasticSearch…etc) to inspect the detection logic, helping them to triage the alerts better.

  • Insert IDSTower Rule Category to Rule Metadata Keyword: when enabled, IDSTower will insert IDSTower Rule Category to the IDS Rule Metadata Keyword, enabling this option will add more context to the generated alerts, helping security analysts triage rules better.

  • Insert Extracted References to Rule Metadata Keyword: when enabled, IDSTower will insert Extracted References from IDS Rule Source Code (eg: urls) to the Rule Metadata Keyword, enabling this option will add more context to the generated alerts, helping security analysts triage rules better

  • Change $EXTERNAL_NET to Any to detect lateral movement: when enabled, IDSTower will change the $EXTERNAL_NET variable to “any” in the rule source code, this is useful when you want to detect lateral movement within your network that will otherwise be not detected since the rule only apply to traffic originating from/to External Networks.

The Rules Transformation feature is very powerful and allows you to customize the rules to fit your environment, without losing the ability to track those changes or having to merge those changes with the latest version of the ruleset as IDSTower does this automatically.

These transformation can be enabled/disabled from the settings -> Rules tab, and they override values, when needed, can be set from the Rule Editor Interface.

Please let us know if you need additional transformation options, we are always happy to hear from you and improve our product.