suricata-update

by OISF

The tool for updating your Suricata rules.

133 Stars 50 Forks Last release: 7 months ago (1.1.2) GNU General Public License v2.0 271 Commits 20 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

Suricata-Update

The tool for updating your Suricata rules.

Installation

pip install --upgrade suricata-update

Documentation

https://suricata-update.readthedocs.io/en/latest/

Issues

https://redmine.openinfosecfoundation.org/projects/suricata-update

Example Usage

suricata-update

The default invocation of

suricata-update
will perform the following:
  • Read the configuration, /etc/suricata/update.yaml, if it exists.
  • Read in the rule filter configuration files:

    • /etc/suricata/disable.conf
    • /etc/suricata/enable.conf
    • /etc/suricata/drop.conf
    • /etc/suricata/modify.conf
  • Download the best version of the Emerging Threats Open ruleset for the version of Suricata found.

  • Read in the rule files provided with the Suricata distribution from /etc/suricata/rules.

  • Apply disable, enable, drop and modify filters.

  • Resolve flowbits.

  • Write the rules to /var/lib/suricata/rules/suricata.rules.

If you are not yet ready to use /var/lib/suricata/rules then you may be interested in the

--output
_ and
--no-merge
_ command line options.

Suricata Configuration

The default Suricata configuration needs to be updated to find the rules in the new location.

Example suricata.yaml

.. code-block:: yaml

default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules

Optionally

-S /var/lib/suricata/rules/suricata.rules
could be provided on the Suricata command line.

Notes

This

suricata-update
tool is based around the idea
/etc/suricata
should not be used for active rule management, but instead as a location for more or less static configuration. Instead
/var/lib/suricata
is used for rule management and
/etc/suricata/rules
is used as a source for rule files provided by the Suricata distribution.

Files and Directories

/usr/share/suricata/rules
Used as a source of rules provided by the Suricata engine. If this directory does not exist,
etc/suricata/rules
will be used.

/etc/suricata/update.yaml
The default location for the
suricata-update
configuration file.

/etc/suricata/disable.conf
Default location for disable rule filters if not provided in the configuration file or command line.

/etc/suricata/enable.conf
Default location for enable rule filters if not provided in the configuration file or command line.

/etc/suricata/drop.conf
Default location for drop rule filters if not provided in the configuration file or command line.

/etc/suricata/modify.conf
Default location for modify rule filters if not provided in the configuration file or command line.

/var/lib/suricata/rules
The output directory for rules processed by the
suricata-update
tool. This directory is owned and managed by
suricata-update
and should not be touched by the user.

/var/lib/suricata/rules/suricata.rules
The default output filename for the rules processed by
suricata-update
.

This is a single file that contains all the rules from all input files and should be used by Suricata.

/var/lib/suricata/update/cache
Directory where downloaded rule files are cached here.

/var/lib/suricata/rules/cache/index.yaml
Cached copy of the rule source index.

/var/lib/suricata/update/sources
Configuration direction for sources enabled or added with
enable-source
or
add-source
.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.