diff options
Diffstat (limited to '')
| -rw-r--r-- | doc/userguide/rule-management/suricata-update.rst | 116 | ||||
| -rw-r--r-- | doc/userguide/rule-management/suricata-update/suricata-update.png | bin | 0 -> 228312 bytes |
2 files changed, 116 insertions, 0 deletions
diff --git a/doc/userguide/rule-management/suricata-update.rst b/doc/userguide/rule-management/suricata-update.rst new file mode 100644 index 0000000..0c86d0f --- /dev/null +++ b/doc/userguide/rule-management/suricata-update.rst @@ -0,0 +1,116 @@ +Rule Management with Suricata-Update +==================================== + +While it is possible to download and install rules manually, it is +recommended to use a management tool for this. ``suricata-update`` is the +official way to update and manage rules for Suricata. + +``suricata-update`` is bundled with Suricata and is normally installed +with it. For instructions on installing manually, see http://suricata-update.readthedocs.io/en/latest/quickstart.html#install-suricata-update + +.. note:: ``suricata-update`` is bundled with Suricata version 4.1 and + later. It can be used with older versions as well. It will + have to be installed separately in that case. + +To download the Emerging Threats Open ruleset, it is enough to simply run: + +:: + + sudo suricata-update + +This will download the ruleset into `/var/lib/suricata/rules/` + +Suricata's configuration will have to be updated to have a rules config like +this: + +:: + + default-rule-path: /var/lib/suricata/rules + rule-files: + - suricata.rules + +Now (re)start Suricata. + + +Updating your rules +~~~~~~~~~~~~~~~~~~~ + +To update the rules, simply run + +:: + + sudo suricata-update + +It is recommended to update your rules frequently. + + +Using other rulesets +~~~~~~~~~~~~~~~~~~~~ + +Suricata-Update is capable of making other rulesets accessible as well. + +To see what is available, fetch the master index from the OISF hosts: + +:: + + sudo suricata-update update-sources + +Then have a look at what is available: + +:: + + sudo suricata-update list-sources + +This will give a result similar to + +.. image:: suricata-update/suricata-update.png + +Each of the rulesets has a name that has a 'vendor' prefix, followed by a +set name. For example, OISF's traffic id ruleset is called 'oisf/trafficid'. + +To enable 'oisf/trafficid', enter: + +:: + + sudo suricata-update enable-source oisf/trafficid + sudo suricata-update + +Now restart Suricata again and the rules from the OISF TrafficID ruleset are loaded. + +To see which rulesets are currently active, use "list-enabled-sources". + +Controlling which rules are used +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +By default ``suricata-update`` will merge all rules into a single file +"/var/lib/suricata/rules/suricata.rules". + +To enable rules that are disabled by default, use `/etc/suricata/enable.conf` + +:: + + 2019401 # enable signature with this sid + group:emerging-icmp.rules # enable this rulefile + re:trojan # enable all rules with this string + + +Similarly, to disable rules use `/etc/suricata/disable.conf`: + +:: + + 2019401 # disable signature with this sid + group:emerging-info.rules # disable this rulefile + re:heartbleed # disable all rules with this string + +After updating these files, rerun ``suricata-update`` again: + +:: + + sudo suricata-update + +Finally restart Suricata. + +Further reading +~~~~~~~~~~~~~~~ + +See https://suricata-update.readthedocs.io/en/latest/ diff --git a/doc/userguide/rule-management/suricata-update/suricata-update.png b/doc/userguide/rule-management/suricata-update/suricata-update.png Binary files differnew file mode 100644 index 0000000..aedd3a2 --- /dev/null +++ b/doc/userguide/rule-management/suricata-update/suricata-update.png |
