Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/OISF/suricata-update

The tool for updating your Suricata rules.
https://github.com/OISF/suricata-update

ids ips network-monitoring nsm security suricata

Last synced: about 6 hours ago
JSON representation

The tool for updating your Suricata rules.

Awesome Lists containing this project

README 

        
Suricata-Update

===============



The tool for updating your Suricata rules.



Installation

------------



    pip install --upgrade suricata-update



Documentation

-------------



https://suricata-update.readthedocs.io/en/latest/



Issues

------



https://redmine.openinfosecfoundation.org/projects/suricata-update



Example Usage

-------------



    suricata-update



The default invocation of ``suricata-update`` will perform the following:



- Read the configuration, /etc/suricata/update.yaml, if it exists.

- Read in the rule filter configuration files:



  - /etc/suricata/disable.conf

  - /etc/suricata/enable.conf

  - /etc/suricata/drop.conf

  - /etc/suricata/modify.conf



- Download the best version of the Emerging Threats Open ruleset for

  the version of Suricata found.

- Read in the rule files provided with the Suricata distribution from

  /etc/suricata/rules.

- Apply disable, enable, drop and modify filters.

- Resolve flowbits.

- Write the rules to /var/lib/suricata/rules/suricata.rules.



If you are not yet ready to use /var/lib/suricata/rules then you may

be interested in the `--output

`_ and

`--no-merge

`_

command line options.



Suricata Configuration

----------------------



The default Suricata configuration needs to be updated to find the rules

in the new location.



Example suricata.yaml



.. code-block:: yaml



  default-rule-path: /var/lib/suricata/rules

  rule-files:

    - suricata.rules



Optionally ``-S /var/lib/suricata/rules/suricata.rules`` could be

provided on the Suricata command line.



Notes

-----



This ``suricata-update`` tool is based around the idea

``/etc/suricata`` should not be used for active rule management, but

instead as a location for more or less static configuration.  Instead

``/var/lib/suricata`` is used for rule management and

``/etc/suricata/rules`` is used as a source for rule files provided by

the Suricata distribution.



Files and Directories

---------------------



``/usr/share/suricata/rules``

   Used as a source of rules provided by the Suricata engine. If this

   directory does not exist, ``etc/suricata/rules`` will be used.



``/etc/suricata/update.yaml``

  The default location for the ``suricata-update`` configuration file.



``/etc/suricata/disable.conf``

  Default location for disable rule filters if not provided in the

  configuration file or command line.



``/etc/suricata/enable.conf``

  Default location for enable rule filters if not provided in the

  configuration file or command line.



``/etc/suricata/drop.conf``

  Default location for drop rule filters if not provided in the

  configuration file or command line.



``/etc/suricata/modify.conf``

  Default location for modify rule filters if not provided in the

  configuration file or command line.

  

``/var/lib/suricata/rules``

  The output directory for rules processed by the ``suricata-update``

  tool. This directory is owned and managed by ``suricata-update`` and

  should not be touched by the user.



``/var/lib/suricata/rules/suricata.rules``

  The default output filename for the rules processed by ``suricata-update``.



  This is a single file that contains all the rules from all input

  files and should be used by Suricata.



``/var/lib/suricata/update/cache``

  Directory where downloaded rule files are cached here.



``/var/lib/suricata/rules/cache/index.yaml``

  Cached copy of the rule source index.



``/var/lib/suricata/update/sources``

  Configuration direction for sources enabled or added with

  ``enable-source`` or ``add-source``.