<div dir="ltr">I guess this begs the question, what is the canonical way, the docs for suricata(<a href="https://suricata.readthedocs.io/en/latest/rule-management/oinkmaster.html">https://suricata.readthedocs.io/en/latest/rule-management/oinkmaster.html</a>), reccomend oinkmaster, which i am and find incredibly useful. <div><br></div><div>For the OP, those are warnings not errors, depending on the rule, you can likely, and should, just remove it from your disablesid list. I have run into this before and have come to expect that some may get removed from time to time, but does not happen often to me and will run just fine with those warnings. But given its security based I do clean them.</div><div><br></div><div>I like this version, oinkmaster, b/c i have multiple suricata installations in multiple environments, so I update the rules on a Configuration MGMT server (currently <a href="https://docs.saltstack.com/en/latest/">https://docs.saltstack.com/en/latest/</a>), rule files managed by git and then run a state via cron, or manually, that updates on all the known nodes in the environment and runs suricatasc -c reload-rules<div><br></div><div>The main reason i chose this is that i use AWS and don't want to open another web port to manage rules (there are other ways to get to a web ui i realize), then i monitor the rule results in cloudwatch logs, which i've also chosen for other security software that comes with web UIs. FWIW, it does look like a nice app!</div></div><div><br></div><div>Jeff</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 30, 2017 at 11:08 AM, dbogenre <span dir="ltr"><<a href="mailto:dbogenre@umn.edu" target="_blank">dbogenre@umn.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>There are at least two other ways of which I'm aware you can use
for rule management (full disclosure, I wrote one of them):</p>
<p>Scirius (Scirius Community Edition is a web interface dedicated
to Suricata ruleset management.
It handles the rules file and update associated files.):<br>
</p>
<p><a class="m_3738975737439914695moz-txt-link-freetext" href="https://github.com/StamusNetworks/scirius" target="_blank">https://github.com/<wbr>StamusNetworks/scirius</a></p>
<p>Mob-Boss (Github centric no frills rule management especially for
clustered environments):<br>
</p>
<p><a class="m_3738975737439914695moz-txt-link-freetext" href="https://github.com/codeweaver33/mob-boss" target="_blank">https://github.com/<wbr>codeweaver33/mob-boss</a><br>
</p>
<p><br>
</p>
<div class="m_3738975737439914695moz-signature"><b>Dillon Bogenreif</b><br>
University Information Security<br>
University of Minnesota<br>
<a class="m_3738975737439914695moz-txt-link-abbreviated" href="mailto:dbogenre@umn.edu" target="_blank">dbogenre@umn.edu</a><br>
<a href="tel:(612)%20624-5762" value="+16126245762" target="_blank">612-624-5762</a> (office)<br>
GWAPT, GPEN</div><div><div class="h5">
<div class="m_3738975737439914695moz-cite-prefix">On 10/25/2017 02:52 PM, dev wrote:<br>
</div>
<blockquote type="cite">
<pre>Hi,
I usually update my rules with oinkmaster. I am getting errors[1] today
becuase the "disablesid" lines in oinkmaster.conf are no longer in the
downloaded ruleset. I don't think Oinkmaster is a suricata project
so I will forego asking about that here and rather ask:
What is the best way to stay current to update rules for suricata ?
Thanks
[1]
# oinkmaster -vC /etc/oinkmaster.conf -o /etc/suricata/rules
...
Processing downloaded rules...
disablesid 11, enablesid 0, modifysid 0, localsid 0, total rules 24093
WARNING: attempt to use "disablesid" on non-existent SID 2522828
...
WARNING: attempt to use "disablesid" on non-existent SID 2523106
WARNING: attempt to use "disablesid" on non-existent SID 2522234
______________________________<wbr>_________________
Suricata IDS Users mailing list: <a class="m_3738975737439914695moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<wbr>openinfosecfoundation.org</a>
Site: <a class="m_3738975737439914695moz-txt-link-freetext" href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a class="m_3738975737439914695moz-txt-link-freetext" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr>support/</a>
List: <a class="m_3738975737439914695moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a>
Conference: <a class="m_3738975737439914695moz-txt-link-freetext" href="https://suricon.net" target="_blank">https://suricon.net</a>
Trainings: <a class="m_3738975737439914695moz-txt-link-freetext" href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/<wbr>training/</a></pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>