# Ruleset Management Guidance

Please see the [Match FAQ](https://docs.vectra.ai/deployment/match/faq) and [Match performance and ruleset optimization guidance](https://docs.vectra.ai/deployment/match/performance-and-rulset-optimization) for additional details.

## Supported Limits

* Vectra suggest using one ruleset per Sensor for easier management, though multiple are supported.
  * For ET rulesets, it’s preferable to use the `emerging-all.rules` file instead of per-category files.
* Match supports uploading up to 25 unique rulesets per Brain, each of which may be assigned to run on one or multiple Sensors paired to that same Brain.
* Each ruleset can be up to 200 MB in size.
* Rule IDs in a ruleset are required to be a positive 32-bit integer.
  * ET rules and the [Vectra Match Curated Ruleset](#vectra-match-curated-ruleset) use IDs in the 1,000,000 to 2,999,999 range.
  * IDs 9,000,000 to 11,999,999 are reserved for Vectra use.
  * Customer IDs must be below 9,000,000.
  * Customers must not duplicate rule IDs that are assigned to a Sensor, since Suricate will choose an arbitrary rule of the duplicates to use.

## Ruleset Sourcing and Editing

Vectra provides a curated ruleset, but customers may use any Suricata rulesets they desire. For details on accessing and using the curated ruleset, see [Vectra Match Curated Ruleset](#vectra-match-curated-ruleset).

Vectra Match supports rulesets in the standard Suricata format. These rule files can be created manually, purchased commercially, or downloaded from a variety of free sources. The most common sources are:

* Proofpoint’s Emerging Threats [ET Open](https://rules.emergingthreats.net/OPEN_download_instructions.html) or [ET Pro](https://www.proofpoint.com/us/threat-insight/et-pro-ruleset) rulesets for free or commercial use respectively
* [Snort’s Talos](https://www.snort.org/talos)
* Rules provided by various ISAC’s (Information Sharing and Analysis Centers)

Customers can manage rulesets directly in the Vectra UI. Vectra recommends using the UI to modify rule thresholds, rather than editing rule files directly. This ensures your changes are preserved and automatically applied even as new ruleset updates are released. Rule modifications made through the UI are automatically layered on top of the latest ruleset file, so you no longer need to reapply them manually. For details, please see the [Managing Vectra Match Rulesets](https://docs.vectra.ai/deployment/match/managing-rulesets) KB article.

For advanced use cases, ruleset editing can be done outside of your Vectra deployment. Some common ruleset editors are [IDSTower](https://idstower.com/) or [Lawmaker](https://3coresec.com/lawmaker)

Ruleset collection and management can also be done with tools such as [Suricata-update](https://github.com/OISF/suricata-update) but keep in mind that you cannot use such a tool to upload rules to Vectra Match. This must be done via the Vectra UI or one of the Match APIs.

### Vectra Match Workflow Script

Vectra has created a script that can be used in either Respond UX (RUX) or Quadrant UX (QUX) Match deployments to help automate ruleset management via API calls. The tool is available in [Vectra’s public Github](https://github.com/vectranetworks/vectra_match_workflow) and can be forked and modified as required.

### Vectra Match Curated Ruleset

Vectra provides a curated version of the [ET Pro](https://www.proofpoint.com/us/threat-insight/et-pro-ruleset) ruleset, typically on a daily basis, as a standard part of Match licensing. Vectra provides an initially tuned baseline policy to produce the best possible signal. Customers are encouraged to further tune the curated ruleset to their specific environment and goals. In addition to the curated ET Pro rules, Vectra’s curated ruleset will include rules that were created solely by Vectra.

Please see [Vectra Match Curated Ruleset](https://docs.vectra.ai/deployment/match/vectra-curated-ruleset) on the Vectra support site for more details.

* Match customers in air gap deployments can download the Curated ruleset for subsequent upload to their deployment from the Vectra Support portal. Please see the Curated Ruleset link above for more details.

To download the curated ruleset from the Vectra UI:

* Navigate in your Vectra UI to *Configuration → COVERAGE → Vectra Match* and click the **Download Vectra Ruleset** link.

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/5pkxe6e92cCo0siME1Av/Unknown%20image)

To download the curated ruleset using the Match APIs (RUX, QUX):

* RUX
  * Perform a **GET** request against the `/api/v3.0/vectra-match/download-vectra-ruleset` endpoint.
  * This will return a URL that is valid for 2 minutes that can be used to download the file.
    * See [Download the Vectra Match Curated Ruleset (v3.3 RUX only)](https://docs.vectra.ai/deployment/match/api-deployment#download-the-vectra-match-curated-ruleset-v33-rux-only) for an example.
* QUX
  * Perform a GET request against the `/api/v2.5/vectra-match/download-vectra-ruleset` endpoint.
    * See [Download the Vectra Match Curated Ruleset (v2.5 QUX only)](https://docs.vectra.ai/deployment/match/api-deployment#download-the-vectra-match-curated-ruleset-v25-qux-only) for an example.

## Ruleset Lifecycle Management

Vectra recommends only using a single ruleset per Sensor for easier management, though we do support multiple rulesets per Sensor. The below is the recommended process to manage through ruleset changes.

1. Upload a ruleset v1 to the Brain.
2. Assign ruleset v1 to the Sensor(s). This operation also copies the ruleset to the Sensor(s).
3. When a new v2 ruleset needs to be applied:
   1. Upload ruleset v2 to the Brain.
   2. Assign ruleset v2 the Sensor(s).
4. Delete the v1 ruleset or delete the ruleset assignment per option a or b below.
   1. If no Sensor(s) need to continue running the v1 ruleset, delete the ruleset (this will also remove it from any Sensor(s) it was assigned to.
   2. If some Sensor(s) need to continue running the ruleset, delete the ruleset assignment for the Sensor(s) that no longer need to run the ruleset.

Per the [Supported Limits](#supported-limits), a Brain can support a maximum of 25 unique rulesets. When using the API, a multipart form object, `rotate`, can be used to make it easier to stay under this limit. Setting `rotate` to `true` will allow the Brain to delete the oldest unassigned ruleset when a 26<sup>th</sup> ruleset is attempted to be uploaded. If all rulesets are assigned to sensors or the `rotate` option is not used, when a 26<sup>th</sup> ruleset is attempted to be uploaded to the Brain, a 507 error stating `More than 25 files are currently stored by Vectra Match. Please delete any unused files and try again` will be returned.

Examples of deletion for rulesets or ruleset assignments are given in [API Deployment Examples](https://docs.vectra.ai/deployment/match/api-deployment#api-deployment-examples).

## Use of Suricata Address Groups and Variables

When building rules, Vectra supports the use of `HOME_NET`, `EXTERNAL_NET`, `PROXY_IPs`, and `EXCLUDE_NET`.

**How does Vectra populate the HOME\_NET variable?**

Vectra automatically populates the `HOME_NET` variable based on the configuration defined in the:

* Internal IP Addresses (CIDR) - "Internal subnet"
  * Viewable in your Vectra UI at *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification*
* Excluded Subnet of Internal IP Addresses (CIDR) - "Excluded subnet"
  * Viewable in your Vectra UI at *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification*
* Automatically discovered Southside Proxy IPs
  * Viewable at the CLI of your Brain with `show proxy --southside` command.
* For Example:
  * If you have 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as your Internal subnets
  * And 10.0.0.1, 10.0.0.2, 10.0.0.3 as Southside Proxy IP's,
  * And you've excluded 10.254.1.0/24 in the Excluded subnet,
  * The HOME\_NET variable would look like:
    * `[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,!PROXY_IPs,!EXCLUDE_NET]`
  * With `PROXY_IPs` being `[10.0.0.1, 10.0.0.2, 10.0.0.3]`
  * And `EXCLUDE_NET` would be `[10.254.1.0/24]`

**Does Vectra support setting other variables besides HOME\_NET?**

In addition to the `HOME_NET` Variable, Vectra supports the following variables:

* `EXTERNAL_NET` variable is `[!HOME_NET, PROXY_IPs, EXCLUDE_NET]`
* `PROXY_IPs` is a list of IP's that are automatically added to the `PROXY_IPs` variable if detected by Vectra's Southside proxy detection.
  * Northside proxies are not factored in here.
  * This variable was introduced in 9.0 and enables users to automatically treat any traffic sent to Proxies as External even if they have an internal address.
  * You can view the list of Southside proxies on the Brain CLI using `show proxy --southside`
* `EXCLUDE_NET`
  * The `EXCLUDE_NET` variable is automatically populated via the Excluded Subnet configuration under *Configuration → COVERAGE → Data Sources → Network → Brain Setup → IP Address Classification*
* Customers may use any of the supported Variables (`HOME_NET`, `PROXY_IPs`, `EXCLUDE_NET`, and `EXTERNAL_NET`) in your own rules.
* If you have further custom variables, you can always resolve them into the IP netblocks and use those in the rules instead, as this is all that Suricata does when a variable is in the `Suricata.yaml` file.