summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/Makefile156
-rw-r--r--doc/_static/.gitignore0
-rw-r--r--doc/add-source.rst45
-rw-r--r--doc/check-versions.rst21
-rw-r--r--doc/common-options.rst51
-rw-r--r--doc/conf.py247
-rw-r--r--doc/disable-source.rst22
-rw-r--r--doc/enable-source.rst35
-rw-r--r--doc/index.rst16
-rw-r--r--doc/list-sources.rst28
-rw-r--r--doc/quickstart.rst209
-rw-r--r--doc/remove-source.rst21
-rw-r--r--doc/update-sources.rst40
-rw-r--r--doc/update.rst324
14 files changed, 1215 insertions, 0 deletions
diff --git a/doc/Makefile b/doc/Makefile
new file mode 100644
index 0000000..bfa0803
--- /dev/null
+++ b/doc/Makefile
@@ -0,0 +1,156 @@
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS =
+SPHINXBUILD = sphinx-build
+SPHINXAPIDOC = sphinx-apidoc
+PAPER =
+BUILDDIR = _build
+
+# Internal variables.
+PAPEROPT_a4 = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+# the i18n builder cannot share the environment and doctrees with the others
+I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
+
+all: html
+
+help:
+ @echo "Please use \`make <target>' where <target> is one of"
+ @echo " html to make standalone HTML files"
+ @echo " dirhtml to make HTML files named index.html in directories"
+ @echo " singlehtml to make a single large HTML file"
+ @echo " pickle to make pickle files"
+ @echo " json to make JSON files"
+ @echo " htmlhelp to make HTML files and a HTML help project"
+ @echo " qthelp to make HTML files and a qthelp project"
+ @echo " devhelp to make HTML files and a Devhelp project"
+ @echo " epub to make an epub"
+ @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+ @echo " latexpdf to make LaTeX files and run them through pdflatex"
+ @echo " text to make text files"
+ @echo " man to make manual pages"
+ @echo " texinfo to make Texinfo files"
+ @echo " info to make Texinfo files and run them through makeinfo"
+ @echo " gettext to make PO message catalogs"
+ @echo " changes to make an overview of all changed/added/deprecated items"
+ @echo " linkcheck to check all external links for integrity"
+ @echo " doctest to run all doctests embedded in the documentation (if enabled)"
+
+clean:
+ -rm -rf $(BUILDDIR)/*
+
+html:
+ $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+ @echo
+ @echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+dirhtml:
+ $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+ @echo
+ @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+singlehtml:
+ $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+ @echo
+ @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+pickle:
+ $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+ @echo
+ @echo "Build finished; now you can process the pickle files."
+
+json:
+ $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+ @echo
+ @echo "Build finished; now you can process the JSON files."
+
+htmlhelp:
+ $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+ @echo
+ @echo "Build finished; now you can run HTML Help Workshop with the" \
+ ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+qthelp:
+ $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+ @echo
+ @echo "Build finished; now you can run "qcollectiongenerator" with the" \
+ ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+ @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/suricataupdate.qhcp"
+ @echo "To view the help file:"
+ @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/suricataupdate.qhc"
+
+devhelp:
+ $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+ @echo
+ @echo "Build finished."
+ @echo "To view the help file:"
+ @echo "# mkdir -p $$HOME/.local/share/devhelp/suricataupdate"
+ @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/suricataupdate"
+ @echo "# devhelp"
+
+epub:
+ $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+ @echo
+ @echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+latex:
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo
+ @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+ @echo "Run \`make' in that directory to run these through (pdf)latex" \
+ "(use \`make latexpdf' here to do that automatically)."
+
+latexpdf:
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo "Running LaTeX files through pdflatex..."
+ $(MAKE) -C $(BUILDDIR)/latex all-pdf
+ @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+text:
+ $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+ @echo
+ @echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+man:
+ $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
+ @echo
+ @echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+texinfo:
+ $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+ @echo
+ @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
+ @echo "Run \`make' in that directory to run these through makeinfo" \
+ "(use \`make info' here to do that automatically)."
+
+info:
+ $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+ @echo "Running Texinfo files through makeinfo..."
+ make -C $(BUILDDIR)/texinfo info
+ @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
+
+gettext:
+ $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
+ @echo
+ @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
+
+changes:
+ $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+ @echo
+ @echo "The overview file is in $(BUILDDIR)/changes."
+
+linkcheck:
+ $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+ @echo
+ @echo "Link check complete; look for any errors in the above output " \
+ "or in $(BUILDDIR)/linkcheck/output.txt."
+
+doctest:
+ $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+ @echo "Testing of doctests in the sources finished, look at the " \
+ "results in $(BUILDDIR)/doctest/output.txt."
diff --git a/doc/_static/.gitignore b/doc/_static/.gitignore
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/doc/_static/.gitignore
diff --git a/doc/add-source.rst b/doc/add-source.rst
new file mode 100644
index 0000000..c49692c
--- /dev/null
+++ b/doc/add-source.rst
@@ -0,0 +1,45 @@
+################################
+add-source - Add a source by URL
+################################
+
+Synopsis
+========
+
+::
+
+ suricata-update add-source <name> <url>
+
+Description
+===========
+
+The ``add-source`` adds a source to the set of enabled sources by
+URL. It is useful to add a source that is not provided in the index.
+
+Options
+=======
+
+.. option:: --http-header "Header: Value"
+
+ Add an additional HTTP header to requests for this rule source such
+ as a custom API key. Example::
+
+ add-source --http-header "X-API-Key: 1234"
+
+ HTTP basic authentication can be achieved by setting the HTTP Basic
+ Authentication header with ``base64(user1:password1)``. Example::
+
+ add-source --http-header "Authorization: Basic dXNlcjE6cGFzc3dvcmQx"
+
+ HTTP Bearer authentication can be used by setting the HTTP Bearer Authentication header
+ with a OAuth2 token containing printable ASCII characters. Example::
+
+ add-source --http-header "Auhorization: Bearer NjA2MTUOTAx?D+wOm4U/vpXQy0xhl!hSaR7#ENVpK59"
+
+.. option:: --no-checksum
+
+ Skips downloading the checksum URL for the rule source.
+
+Common Options
+==============
+
+.. include:: ./common-options.rst
diff --git a/doc/check-versions.rst b/doc/check-versions.rst
new file mode 100644
index 0000000..8be2e0a
--- /dev/null
+++ b/doc/check-versions.rst
@@ -0,0 +1,21 @@
+##########################################
+check-versions - Check version of Suricata
+##########################################
+
+Synopsis
+========
+
+::
+
+ suricata-update check-versions
+
+Description
+===========
+
+The ``check-versions`` command checks if the installed Suricata version is up
+to date.
+
+Options
+=======
+
+.. include:: common-options.rst
diff --git a/doc/common-options.rst b/doc/common-options.rst
new file mode 100644
index 0000000..d56df99
--- /dev/null
+++ b/doc/common-options.rst
@@ -0,0 +1,51 @@
+.. option:: -h, --help
+
+ Show help.
+
+.. option:: -D <directory>, --data-dir <directory>
+
+ Set an alternate data directory.
+
+ Default: */var/lib/suricata*
+
+.. option:: -c <filename>, --config <filename>
+
+ Path to the suricata-update config file.
+
+ Default: */etc/suricata/update.yaml*
+
+.. option:: -q, --quiet
+
+ Run quietly. Only warning and error messages will be displayed.
+
+.. option:: -v, --verbose
+
+ Provide more verbose output.
+
+.. option:: --suricata-conf <path>
+
+ Path to the suricata config file.
+
+ Default: */etc/suricata/suricata.yaml*
+
+.. option:: --suricata <path>
+
+ The path to the Suricata program. If not provided
+ ``suricata-update`` will attempt to find Suricata on your path.
+
+ The Suricata program is used to determine the version of Suricata
+ as well as providing information about the Suricata configuration.
+
+.. option:: --suricata-version <version>
+
+ Set the Suricata version to a specific version instead of checking
+ the version of Suricata on the path.
+
+.. option:: --user-agent <string>
+
+ Set a custom user agent string for HTTP requests.
+
+.. option:: -s, --show-advanced
+
+ Show advanced options.
+ \ No newline at end of file
diff --git a/doc/conf.py b/doc/conf.py
new file mode 100644
index 0000000..b779bc9
--- /dev/null
+++ b/doc/conf.py
@@ -0,0 +1,247 @@
+# -*- coding: utf-8 -*-
+#
+# Suricata-Update documentation build configuration file, created by
+# sphinx-quickstart on Wed Jul 17 23:14:56 2013.
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+sys.path.insert(0, os.path.abspath('..'))
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = ['sphinx.ext.autodoc',
+ 'sphinx.ext.ifconfig',
+ 'sphinx.ext.viewcode',
+ 'sphinxcontrib.programoutput']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'suricata-update'
+copyright = u'2017, OISF'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+import suricata.update.version
+
+version = suricata.update.version.version
+release = version
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = ['_build']
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+html_theme = 'default'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further. For a list of options available for each theme, see the
+# documentation.
+#html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents. If None, it defaults to
+# "<project> v<release> documentation".
+#html_title = None
+
+# A shorter title for the navigation bar. Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it. The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'suricataupdatedoc'
+
+
+# -- Options for LaTeX output --------------------------------------------------
+
+latex_elements = {
+# The paper size ('letterpaper' or 'a4paper').
+#'papersize': 'letterpaper',
+
+# The font size ('10pt', '11pt' or '12pt').
+#'pointsize': '10pt',
+
+# Additional stuff for the LaTeX preamble.
+#'preamble': '',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+ ('index', 'suricata-update.tex', u'Suricata Update Documentation',
+ u'OISF', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_domain_indices = True
+
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+ ('index', 'suricata-update', u'Suricata Update', [], 1)
+]
+
+# If true, show URL addresses after external links.
+#man_show_urls = False
+
+
+# -- Options for Texinfo output ------------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+# dir menu entry, description, category)
+texinfo_documents = [
+ ('index', 'suricata-update', u'Suricata Update Documentation',
+ u'OISF', 'suricata-update', 'Suricata Update Documentation.',
+ 'Miscellaneous'),
+]
+
+# Documents to append as an appendix to all manuals.
+#texinfo_appendices = []
+
+# If false, no module index is generated.
+#texinfo_domain_indices = True
+
+# How to display URL addresses: 'footnote', 'no', or 'inline'.
+#texinfo_show_urls = 'footnote'
+
+highlight_language = "none"
diff --git a/doc/disable-source.rst b/doc/disable-source.rst
new file mode 100644
index 0000000..b2c9ef0
--- /dev/null
+++ b/doc/disable-source.rst
@@ -0,0 +1,22 @@
+##########################################
+disable-source - Disable an enabled source
+##########################################
+
+Synopsis
+========
+
+::
+
+ suricata-update disable-source <name>
+
+Description
+===========
+
+The ``disable-source`` command disables a currently enabled
+source. The configuration for the source is not removed, allowing it
+to be re-enabled without having to re-enter any required parameters.
+
+Options
+=======
+
+.. include:: ./common-options.rst
diff --git a/doc/enable-source.rst b/doc/enable-source.rst
new file mode 100644
index 0000000..476b87f
--- /dev/null
+++ b/doc/enable-source.rst
@@ -0,0 +1,35 @@
+###############################
+enable-source - Enable a source
+###############################
+
+Synopsis
+========
+
+::
+
+ suricata-update enable-source <source-name> [param=val ...]
+
+Description
+===========
+
+Enable a source that is listed in the index.
+
+If the index requires user provided parameters the user will be
+prompted for them. Alternatively they can be provided on command line
+to avoid the prompt.
+
+For example::
+
+ suricata-update enable-source et/pro secret-code=xxxxxxxxxxxxxxxx
+
+This will prevent the prompt for the et/pro secret code using the
+value provided on the command line instead.
+
+To update parameters for enabled sources, just re-run the ``enable-source``
+command above again with changed parameters. Changed parameters will be
+updated in the stored configuration.
+
+Options
+=======
+
+.. include:: ./common-options.rst
diff --git a/doc/index.rst b/doc/index.rst
new file mode 100644
index 0000000..a9268c9
--- /dev/null
+++ b/doc/index.rst
@@ -0,0 +1,16 @@
+#############################################
+suricata-update - A Suricata Rule Update Tool
+#############################################
+
+.. toctree::
+ :maxdepth: 2
+
+ quickstart
+ update
+ update-sources
+ list-sources
+ enable-source
+ disable-source
+ remove-source
+ add-source
+ check-versions
diff --git a/doc/list-sources.rst b/doc/list-sources.rst
new file mode 100644
index 0000000..f4b36eb
--- /dev/null
+++ b/doc/list-sources.rst
@@ -0,0 +1,28 @@
+########################################
+list-sources - List available sources
+########################################
+
+Synopsis
+========
+
+::
+
+ suricata-update list-sources
+
+Description
+===========
+
+The ``list-sources`` command lists all the available sources.
+
+Options
+=======
+
+.. include:: common-options.rst
+
+.. option:: --free
+
+ List all freely available sources.
+
+.. option:: --enabled
+
+ Lists all the enabled sources.
diff --git a/doc/quickstart.rst b/doc/quickstart.rst
new file mode 100644
index 0000000..bf57de5
--- /dev/null
+++ b/doc/quickstart.rst
@@ -0,0 +1,209 @@
+Quick Start
+###########
+
+Install Suricata Update
+=======================
+
+Suricata-Update is bundled with all supported versions of Suricata and
+should be installed when Suricata is installed. Please check if
+``suricata-update`` is already installed before proceeding with these
+installation directions, for example, the following command will tell
+you the version::
+
+ suricata-update -V
+
+You should only need to install Suricata-Update manually if it is
+required independently of a Suricata install.
+
+Suricata-Update is a tool written in Python and best installed with
+the ``pip`` tool for installing Python packages.
+
+Pip can install ``suricata-update`` globally making it available to
+all users or it can install ``suricata-update`` into your home
+directory.
+
+To install ``suricata-update`` globally::
+
+ pip install --upgrade suricata-update
+
+or to install it to your own directory::
+
+ pip install --user --upgrade suricata-update
+
+Pip can also be used to install the latest development version of
+Suricata-Update::
+
+ pip install --user --upgrade \
+ https://github.com/oisf/suricata-update/archive/master.zip
+
+.. note:: When installing to your home directory the
+ ``suricata-update`` program will be installed to
+ $HOME/.local/bin, so make sure this directory is in your
+ path::
+
+ export PATH=$HOME/.local/bin:$PATH
+
+Directories and Permissions
+===========================
+
+In order for ``suricata-update`` to function, the following
+permissions are required:
+
+* Directory /etc/suricata: read/write access
+* Directory /var/lib/suricata/rules: read/write access
+* Directory /var/lib/suricata/update: read/write access
+
+One option is to simply run ``suricata-update`` as root or with
+``sudo``.
+
+.. note:: It is recommended to create a ``suricata`` group and setup
+ the above directories with the correct permissions for
+ the ``suricata`` group then add users to the ``suricata``
+ group.
+
+Steps to setup the above directories with the correct permissions:
+
+First, create a group ``suricata``::
+
+ sudo groupadd suricata
+
+Next, change the group of the directories and its files recursively::
+
+ sudo chgrp -R suricata /etc/suricata
+ sudo chgrp -R suricata /var/lib/suricata/rules
+ sudo chgrp -R suricata /var/lib/suricata/update
+
+.. note:: The paths ``/etc/suricata`` and ``/var/lib`` above are used
+ in the default configuration and are dependent on paths set
+ during compilation. By default, these paths are set to
+ ``/usr/local``.
+ Please check your configuration for appropriate paths.
+
+Setup the directories with the correct permissions for the ``suricata``
+group::
+
+ sudo chmod -R g+r /etc/suricata/
+ sudo chmod -R g+rw /var/lib/suricata/rules
+ sudo chmod -R g+rw /var/lib/suricata/update
+
+Now, add user to the group::
+
+ sudo usermod -a -G suricata username
+
+Verify whether group has been changed::
+
+ ls -al /etc/suricata
+ ls -al /var/lib/suricata/rules
+ ls -al /var/lib/suricata/update
+
+Reboot your system. Run ``suricata-update`` without a sudo to check
+if suricata-update functions.
+
+Update Your Rules
+=================
+
+Without doing any configuration the default operation of
+``suricata-update`` is to use the Emerging Threats Open ruleset.
+
+Example::
+
+ suricata-update
+
+This command will:
+
+* Look for the ``suricata`` program on your path to determine its
+ version.
+
+* Look for /etc/suricata/enable.conf, /etc/suricata/disable.conf,
+ /etc/suricata/drop.conf, and /etc/suricata/modify.conf to look for
+ filters to apply to the downloaded rules. These files are optional
+ and do not need to exist.
+
+* Download the Emerging Threats Open ruleset for your version of
+ Suricata, defaulting to 6.0.0 if not found.
+
+* Apply enable, disable, drop and modify filters as loaded above.
+
+* Write out the rules to ``/var/lib/suricata/rules/suricata.rules``.
+
+* Run Suricata in test mode on
+ ``/var/lib/suricata/rules/suricata.rules``.
+
+.. note:: Suricata-Update is also capable of triggering a rule reload,
+ but doing so requires some extra configuration that will be
+ covered later. See the documentation of
+ :command:`--reload-command=<command>` for more details.
+
+Configure Suricata to Load Suricata-Update Managed Rules
+========================================================
+
+.. note:: If ``suricata-update`` was installed for you by Suricata,
+ then your Suricata configuration should already be setup to
+ work with Suricata-Update.
+
+If upgrading from an older version of Suricata, or running a
+development version that may not be bundled with Suricata-Update, you
+will have to check that your ``suricata.yaml`` is configured for
+Suricata-Update. The main difference is the ``default-rule-path``
+which is ``/var/lib/suricata/rules`` when using Suricata-Update.
+
+You will want to update your ``suricata.yaml`` to have the following::
+
+ default-rule-path: /var/lib/suricata/rules
+ rule-files:
+ - suricata.rules
+
+If you have local rules you would like Suricata to load, these can be
+listed here as well by using the full path name.
+
+Discover Other Available Rule Sources
+=====================================
+
+First update the rule source index with the ``update-sources`` command,
+for example::
+
+ suricata-update update-sources
+
+Then list the sources from the index. Example::
+
+ suricata-update list-sources
+
+Now enable the **ptresearch/attackdetection** ruleset::
+
+ suricata-update enable-source ptresearch/attackdetection
+
+And update your rules again::
+
+ suricata-update
+
+List Enabled Sources
+====================
+
+::
+
+ suricata-update list-sources --enabled
+
+Disable a Source
+================
+
+::
+
+ suricata-update disable-source et/pro
+
+Disabling a source keeps the source configuration but disables. This
+is useful when a source requires parameters such as a code that you
+don't want to lose, which would happen if you removed a source.
+
+Enabling a disabled source re-enables without prompting for user
+inputs.
+
+Remove a Source
+===============
+
+::
+
+ suricata-update remove-source et/pro
+
+This removes the local configuration for this source. Re-enabling
+**et/pro** will requiring re-entering your access code.
+
diff --git a/doc/remove-source.rst b/doc/remove-source.rst
new file mode 100644
index 0000000..f8e3135
--- /dev/null
+++ b/doc/remove-source.rst
@@ -0,0 +1,21 @@
+##########################################
+remove-source - Remove a configured source
+##########################################
+
+Synopsis
+========
+
+::
+
+ suricata-update remove-source <name>
+
+Description
+===========
+
+Remove a source configuration. This removes the source file from
+``/var/lib/suricata/update/sources``, even if its disabled.
+
+Options
+=======
+
+.. include:: ./common-options.rst
diff --git a/doc/update-sources.rst b/doc/update-sources.rst
new file mode 100644
index 0000000..ade1246
--- /dev/null
+++ b/doc/update-sources.rst
@@ -0,0 +1,40 @@
+########################################
+update-sources - Update the source index
+########################################
+
+Synopsis
+========
+
+::
+
+ suricata-update update-sources
+
+Description
+===========
+
+The ``update-sources`` command downloads the latest index of available
+sources.
+
+Options
+=======
+
+.. include:: common-options.rst
+
+Files and Directories
+=====================
+
+``/var/lib/suricata/rules/.cache/index.yaml``
+ Where the downloaded source index is cached.
+
+Environment Variables
+=====================
+
+**SOURCE_INDEX_URL**
+ This environment variable allows the specification of an alternate
+ URL to download the index from.
+
+URLs
+====
+
+``https://www.openinfosecfoundation.org/rules/index.yaml``
+ The default URL used to download the index from.
diff --git a/doc/update.rst b/doc/update.rst
new file mode 100644
index 0000000..c3db62e
--- /dev/null
+++ b/doc/update.rst
@@ -0,0 +1,324 @@
+########################
+suricata-update - Update
+########################
+
+Synopsis
+========
+
+``suricata-update`` [OPTIONS]
+
+Description
+===========
+
+``suricata-update`` aims to be a simple to use rule download and
+management tool for Suricata.
+
+Options
+=======
+
+.. include:: ./common-options.rst
+
+.. option:: -o, --output
+
+ The directory to output the rules to.
+
+ Default: */var/lib/suricata/rules*
+
+.. option:: --force
+
+ Force remote rule files to be downloaded if they otherwise wouldn't
+ be due to just recently downloaded, or the remote checksum matching
+ the cached copy.
+
+.. option:: --no-merge
+
+ Do not merge the rules into a single rule file.
+
+ *Warning: No attempt is made to resolve conflicts if 2 input rule files have the same name.*
+
+.. option:: --yaml-fragment=<filename.yaml>
+
+ Output a fragment of YAML containing the *rule-files* section will
+ all downloaded rule files listed for inclusion in your
+ *suricata.yaml*.
+
+.. option:: --url=<url>
+
+ A URL to download rules from. This option can be used multiple
+ times.
+
+.. option:: --local=<filename or directory>
+
+ A path to a filename or directory of local rule files to include.
+
+ If the path is a directory all files ending in *.rules* will be
+ loaded.
+
+ Wildcards are accepted but to avoid shell expansion the argument
+ must be quoted, for example::
+
+ --local '/etc/suricata/custom-*.rules'
+
+ This option can be specified multiple times.
+
+.. option:: --sid-msg-map=<filename>
+
+ Output a v1 style sid-msg.map file.
+
+.. option:: --sid-msg-map-2=<filename>
+
+ Output a v2 style sid-msg.map file.
+
+.. option:: --disable-conf=<disable.conf>
+
+ Specify the configuration file for disable filters.
+
+ See :ref:`example-disable-conf`
+
+.. option:: --enable-conf=<enable.conf>
+
+ Specify the configuration file for enable rules.
+
+ See :ref:`example-enable-conf`
+
+.. option:: --modify-conf=<modify.conf>
+
+ Specify the configuration file for rule modification filters.
+
+ See :ref:`example-modify-conf`
+
+.. option:: --drop-conf=<drop.conf>
+
+ Specify the configuration file for drop filters.
+
+ See :ref:`example-drop-conf`
+
+.. option:: --ignore=<pattern>
+
+ Filenames to ignore. This is a pattern that will be matched against
+ the basename of a rule files.
+
+ This argument may be specified multiple times.
+
+ Default: *\*deleted.rules*
+
+ Example::
+
+ --ignore dnp3-events.rules --ignore deleted.rules --ignore "modbus*"
+
+ .. note::
+
+ If specified the default value of *\*deleted.rules* will no longer
+ be used, so add it as an extra ignore if needed.
+
+.. option:: --no-ignore
+
+ Disable the --ignore option. Most useful to disable the default
+ ignore pattern without adding others.
+
+.. option:: --etopen
+
+ Download the ET/Open ruleset.
+
+ This is the default action of no ``--url`` options are provided or
+ no sources are configured.
+
+ Use this option to enable the ET/Open ruleset in addition to any
+ URLs provided on the command line or sources provided in the
+ configuration.
+
+.. option:: --dump-sample-configs
+
+ Output sample configuration files for the ``--disable``,
+ ``--enable``, ``--modify`` and ``--threshold-in`` commands.
+
+.. option:: --threshold-in=<threshold.conf.in>
+
+ Specify the threshold.conf input template.
+
+.. option:: --threshold-out=<threshold.conf>
+
+ Specify the name of the processed threshold.conf to output.
+
+.. option:: -T <command>, --test-command <command>
+
+ Specifies a custom test command to test the rules before reloading
+ Suricata. This overrides the default command and can also be
+ specified in the configuration file under ``test-command``.
+
+.. option:: --no-test
+
+ Disables the test command and proceed as if it had passed.
+
+.. option:: --reload-command=<command>
+
+ A command to run after the rules have been updated; will not run if
+ no change to the output files was made. For example::
+
+ --reload-command='sudo kill -USR2 $(pidof suricata)'
+
+ will tell Suricata to reload its rules.
+
+ Furthermore the reload can be triggered using the Unix socket of Suricata.
+
+ Blocking reload (with Suricata waiting for the reload to finish)::
+
+ --reload-command='sudo suricatasc -c reload-rules'
+
+ Non blocking reload (without restarting Suricata)::
+
+ --reload-command='sudo suricatasc -c ruleset-reload-nonblocking'
+
+ See the Suricata documentation on `Rule Reloads
+ <https://suricata.readthedocs.io/en/latest/rule-management/rule-reload.html>`_
+ for more information.
+
+.. option:: --no-reload
+
+ Disable Suricata rule reload.
+
+.. option:: -V, --version
+
+ Display the version of **suricata-update**.
+
+.. option:: --offline
+
+ Run offline using most recent cached rules.
+
+Rule Matching
+=============
+
+Matching rules for disabling, enabling, converting to drop or
+modification can be done with the following:
+
+- signature ID
+- regular expression
+- rule group
+- filename
+
+Signature ID Matching
+---------------------
+
+A signature ID can be matched by just its signature ID, for example::
+
+ 1034
+
+The generator ID can also be used for compatibility with other tools::
+
+ 1:1034
+
+Regular Expression Matching
+---------------------------
+
+Regular expression matching will match a regular expression over the
+complete rule. Example::
+
+ re:heartbleed
+ re:MS(0[7-9]|10)-\d+
+
+Group Matching
+--------------
+
+The group matcher matches against the group the rule was loaded
+from. Basically this is the filename without the leading path or file
+extension. Example::
+
+ group:emerging-icmp.rules
+ group:emerging-dos
+
+Wild card matching similar to wildcards used in a Unix shell can also
+be used::
+
+ group:*deleted*
+
+Filename Matching
+-----------------
+
+The filename matcher matches against the filename the rule was loaded
+from taking into consideration the full path. Shell wildcard patterns
+are allowed::
+
+ filename:rules/*deleted*
+ filename:*/emerging-dos.rules
+
+Metadata Matching
+-----------------
+
+Rules can be enabled or disabled based on the metadata fields
+contained in the rule, for example::
+
+ metadata: deployment perimeter
+
+Will match rules that have a metadata field of "deployment" with the
+value of "perimeter" (case insensitive). This will match on a rule
+with the provided metadata::
+
+ metadata:affected_product Any, attack_target Any, deployment Perimeter
+
+.. note:: Metadata matching can only be used to enable, disable or
+ convert rules to drop. It is not available for rule
+ modification.
+
+Modifying Rules
+---------------
+
+Rule modification can be done with regular expression search and
+replace. The basic format for a rule modification specifier is::
+
+ <match> <from> <to>
+
+where <match> is one of the rule matchers from above, <from> is the
+text to be replaced and <to> is the replacement text.
+
+Example converting all alert rules to drop::
+
+ re:. ^alert drop
+
+Example converting all drop rules with noalert back to alert::
+
+ re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2"
+
+Order of application of configuration files
+===========================================
+1. disable.conf
+2. enable.conf
+3. drop.conf
+4. modify.conf
+
+Example Configuration Files
+===========================
+
+.. _example_update_yaml:
+
+Example Configuration File (/etc/suricata/update.yaml)
+------------------------------------------------------
+
+.. literalinclude:: ../suricata/update/configs/update.yaml
+
+.. _example-enable-conf:
+
+Example Configuration to Enable Rules (--enable-conf)
+-----------------------------------------------------
+
+.. literalinclude:: ../suricata/update/configs/enable.conf
+
+.. _example-disable-conf:
+
+Example Configuration to Disable Rules (--disable-conf)
+--------------------------------------------------------
+
+.. literalinclude:: ../suricata/update/configs/disable.conf
+
+.. _example-drop-conf:
+
+Example Configuration to convert Rules to Drop (--drop-conf)
+------------------------------------------------------------
+
+.. literalinclude:: ../suricata/update/configs/drop.conf
+
+.. _example-modify-conf:
+
+Example Configuration to modify Rules (--modify-conf)
+-----------------------------------------------------
+
+.. literalinclude:: ../suricata/update/configs/modify.conf