summaryrefslogtreecommitdiffstats
path: root/README.rst
diff options
context:
space:
mode:
Diffstat (limited to 'README.rst')
-rw-r--r--README.rst123
1 files changed, 123 insertions, 0 deletions
diff --git a/README.rst b/README.rst
new file mode 100644
index 0000000..36503a6
--- /dev/null
+++ b/README.rst
@@ -0,0 +1,123 @@
+Suricata-Update
+===============
+
+The tool for updating your Suricata rules.
+
+Installation
+------------
+
+ pip install --upgrade suricata-update
+
+Documentation
+-------------
+
+https://suricata-update.readthedocs.io/en/latest/
+
+Issues
+------
+
+https://redmine.openinfosecfoundation.org/projects/suricata-update
+
+Example Usage
+-------------
+
+ suricata-update
+
+The default invocation of ``suricata-update`` will perform the following:
+
+- Read the configuration, /etc/suricata/update.yaml, if it exists.
+- Read in the rule filter configuration files:
+
+ - /etc/suricata/disable.conf
+ - /etc/suricata/enable.conf
+ - /etc/suricata/drop.conf
+ - /etc/suricata/modify.conf
+
+- Download the best version of the Emerging Threats Open ruleset for
+ the version of Suricata found.
+- Read in the rule files provided with the Suricata distribution from
+ /etc/suricata/rules.
+- Apply disable, enable, drop and modify filters.
+- Resolve flowbits.
+- Write the rules to /var/lib/suricata/rules/suricata.rules.
+
+If you are not yet ready to use /var/lib/suricata/rules then you may
+be interested in the `--output
+<http://suricata-update.readthedocs.io/en/latest/#cmdoption-o>`_ and
+`--no-merge
+<http://suricata-update.readthedocs.io/en/latest/#cmdoption-o>`_
+command line options.
+
+Suricata Configuration
+----------------------
+
+The default Suricata configuration needs to be updated to find the rules
+in the new location.
+
+Example suricata.yaml
+
+.. code-block:: yaml
+
+ default-rule-path: /var/lib/suricata/rules
+ rule-files:
+ - suricata.rules
+
+Optionally ``-S /var/lib/suricata/rules/suricata.rules`` could be
+provided on the Suricata command line.
+
+Notes
+-----
+
+This ``suricata-update`` tool is based around the idea
+``/etc/suricata`` should not be used for active rule management, but
+instead as a location for more or less static configuration. Instead
+``/var/lib/suricata`` is used for rule management and
+``/etc/suricata/rules`` is used as a source for rule files provided by
+the Suricata distribution.
+
+Files and Directories
+---------------------
+
+``/usr/share/suricata/rules``
+ Used as a source of rules provided by the Suricata engine. If this
+ directory does not exist, ``etc/suricata/rules`` will be used.
+
+``/etc/suricata/update.yaml``
+ The default location for the ``suricata-update`` configuration file.
+
+``/etc/suricata/disable.conf``
+ Default location for disable rule filters if not provided in the
+ configuration file or command line.
+
+``/etc/suricata/enable.conf``
+ Default location for enable rule filters if not provided in the
+ configuration file or command line.
+
+``/etc/suricata/drop.conf``
+ Default location for drop rule filters if not provided in the
+ configuration file or command line.
+
+``/etc/suricata/modify.conf``
+ Default location for modify rule filters if not provided in the
+ configuration file or command line.
+
+``/var/lib/suricata/rules``
+ The output directory for rules processed by the ``suricata-update``
+ tool. This directory is owned and managed by ``suricata-update`` and
+ should not be touched by the user.
+
+``/var/lib/suricata/rules/suricata.rules``
+ The default output filename for the rules processed by ``suricata-update``.
+
+ This is a single file that contains all the rules from all input
+ files and should be used by Suricata.
+
+``/var/lib/suricata/update/cache``
+ Directory where downloaded rule files are cached here.
+
+``/var/lib/suricata/rules/cache/index.yaml``
+ Cached copy of the rule source index.
+
+``/var/lib/suricata/update/sources``
+ Configuration direction for sources enabled or added with
+ ``enable-source`` or ``add-source``.