Scirius for rule management

Why Nethserver doesn’t use Scirius (https://github.com/StamusNetworks/scirius) for rule management? It has extra statistics and a more sophisticated rule management, where also single rules can be disabled, but just categories.

NethServer aims to be easy to use.
Scirius configuration needs you to define sources rulesets and categories.
We’d like to extend NethServer cockpit interface to allow more fine grained setups.
The first step is moving from pulledpork to suricata-update which is what I’m working on now.

The problem is that the current rule setup is almost useless, because in several categories there are rules, which are just informational. When such a category is set to “blocked”, this can disturb the whole network. E.g. the “DNS” category, which includes DNS attacks but also an informational rule:

ET DNS Standard query response, Name Error [**] [Classification: Not Suspicious Traffic]

I this category is set to “blocked” also normal DNS queries are blocked.

Scirius also can enable and disable at the category AND the rule level.

It also supports several rule sources and supports own rules. This can be not done currently with nethserver (without custom templates).

Maybe it would be better, when Scirus would be used in a standard configuration, which the user can customize.

I agree with you.
We could try to find a way to “hide” part(*) of scirius complexity. If you have any idea, I’ll try to help.

(*) having an initial setup that works out of the box, some presets that an experienced user can adjust.

It is also very difficult to find the exact rule documentation and rule id from the Evebox output. Unfortunately there is no link to the rule documentation.

It would be very helpful, if it would be be possible to have at a simple “disabled rule” list, where rules can be disabled. You would just enable a category, look in the evebox output and paste the rule ids, which should not “block”, but be ignored into this list. Maybe it would even by a good id to have two exceptional list: “Warn instead of block” and “Disable instead of block”.