blob: 36503a63e6048d9966bcf0d24867da0a62ed1300 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
Suricata-Update
===============
The tool for updating your Suricata rules.
Installation
------------
pip install --upgrade suricata-update
Documentation
-------------
https://suricata-update.readthedocs.io/en/latest/
Issues
------
https://redmine.openinfosecfoundation.org/projects/suricata-update
Example Usage
-------------
suricata-update
The default invocation of ``suricata-update`` will perform the following:
- Read the configuration, /etc/suricata/update.yaml, if it exists.
- Read in the rule filter configuration files:
- /etc/suricata/disable.conf
- /etc/suricata/enable.conf
- /etc/suricata/drop.conf
- /etc/suricata/modify.conf
- Download the best version of the Emerging Threats Open ruleset for
the version of Suricata found.
- Read in the rule files provided with the Suricata distribution from
/etc/suricata/rules.
- Apply disable, enable, drop and modify filters.
- Resolve flowbits.
- Write the rules to /var/lib/suricata/rules/suricata.rules.
If you are not yet ready to use /var/lib/suricata/rules then you may
be interested in the `--output
<http://suricata-update.readthedocs.io/en/latest/#cmdoption-o>`_ and
`--no-merge
<http://suricata-update.readthedocs.io/en/latest/#cmdoption-o>`_
command line options.
Suricata Configuration
----------------------
The default Suricata configuration needs to be updated to find the rules
in the new location.
Example suricata.yaml
.. code-block:: yaml
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
Optionally ``-S /var/lib/suricata/rules/suricata.rules`` could be
provided on the Suricata command line.
Notes
-----
This ``suricata-update`` tool is based around the idea
``/etc/suricata`` should not be used for active rule management, but
instead as a location for more or less static configuration. Instead
``/var/lib/suricata`` is used for rule management and
``/etc/suricata/rules`` is used as a source for rule files provided by
the Suricata distribution.
Files and Directories
---------------------
``/usr/share/suricata/rules``
Used as a source of rules provided by the Suricata engine. If this
directory does not exist, ``etc/suricata/rules`` will be used.
``/etc/suricata/update.yaml``
The default location for the ``suricata-update`` configuration file.
``/etc/suricata/disable.conf``
Default location for disable rule filters if not provided in the
configuration file or command line.
``/etc/suricata/enable.conf``
Default location for enable rule filters if not provided in the
configuration file or command line.
``/etc/suricata/drop.conf``
Default location for drop rule filters if not provided in the
configuration file or command line.
``/etc/suricata/modify.conf``
Default location for modify rule filters if not provided in the
configuration file or command line.
``/var/lib/suricata/rules``
The output directory for rules processed by the ``suricata-update``
tool. This directory is owned and managed by ``suricata-update`` and
should not be touched by the user.
``/var/lib/suricata/rules/suricata.rules``
The default output filename for the rules processed by ``suricata-update``.
This is a single file that contains all the rules from all input
files and should be used by Suricata.
``/var/lib/suricata/update/cache``
Directory where downloaded rule files are cached here.
``/var/lib/suricata/rules/cache/index.yaml``
Cached copy of the rule source index.
``/var/lib/suricata/update/sources``
Configuration direction for sources enabled or added with
``enable-source`` or ``add-source``.
|
