<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>You can also use rulecat (part of py-idstools --
      <a class="moz-txt-link-freetext" href="https://github.com/jasonish/py-idstools">https://github.com/jasonish/py-idstools</a>) or Pulled Pork
      (<a class="moz-txt-link-freetext" href="https://github.com/shirkdog/pulledpork">https://github.com/shirkdog/pulledpork</a>).<br>
    </p>
    I like rulecat for Suricata rules since it is straightforward and
    written in Python.<br>
    <br>
    -David<br>
    <br>
    <div class="moz-cite-prefix">On 10/30/2017 11:08 AM, dbogenre wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:514de092-ce37-b928-b3ed-0eed42b09ee7@umn.edu">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <p>There are at least two other ways of which I'm aware you can
        use for rule management (full disclosure, I wrote one of them):</p>
      <p>Scirius (Scirius Community Edition is a web interface dedicated
        to Suricata ruleset management. It handles the rules file and
        update associated files.):<br>
      </p>
      <p><a class="moz-txt-link-freetext"
          href="https://github.com/StamusNetworks/scirius"
          moz-do-not-send="true">https://github.com/StamusNetworks/scirius</a></p>
      <p>Mob-Boss (Github centric no frills rule management especially
        for clustered environments):<br>
      </p>
      <p><a class="moz-txt-link-freetext"
          href="https://github.com/codeweaver33/mob-boss"
          moz-do-not-send="true">https://github.com/codeweaver33/mob-boss</a><br>
      </p>
      <p><br>
      </p>
      <div class="moz-signature"><b>Dillon Bogenreif</b><br>
        University Information Security<br>
        University of Minnesota<br>
        <a class="moz-txt-link-abbreviated"
          href="mailto:dbogenre@umn.edu" moz-do-not-send="true">dbogenre@umn.edu</a><br>
        612-624-5762 (office)<br>
        GWAPT, GPEN</div>
      <div class="moz-cite-prefix">On 10/25/2017 02:52 PM, dev wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:2cd62767-a7ca-1c6d-2a04-8be7595151ed@gmail.com">
        <pre wrap="">Hi,
I usually update my rules with oinkmaster. I am getting errors[1] today
becuase the "disablesid" lines in oinkmaster.conf are no longer in the
downloaded ruleset.  I don't think Oinkmaster is a suricata project
so I will forego asking about that here and rather ask:

What is the best way to stay current to update rules for suricata ?
Thanks


[1]
# oinkmaster -vC /etc/oinkmaster.conf -o /etc/suricata/rules
...
Processing downloaded rules...
disablesid 11, enablesid 0, modifysid 0, localsid 0, total rules 24093
WARNING: attempt to use "disablesid" on non-existent SID 2522828
...
WARNING: attempt to use "disablesid" on non-existent SID 2523106
WARNING: attempt to use "disablesid" on non-existent SID 2522234

_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org" moz-do-not-send="true">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/" moz-do-not-send="true">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

Conference: <a class="moz-txt-link-freetext" href="https://suricon.net" moz-do-not-send="true">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/" moz-do-not-send="true">https://suricata-ids.org/training/</a></pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>
    </blockquote>
    <br>
  </body>
</html>