[Oisf-users] Updating suricata rules

Jason Ish ish at unx.ca
Thu Nov 2 18:51:57 UTC 2017 

On 2017-10-30 09:49 AM, David Wharton wrote:
> You can also use rulecat (part of py-idstools -- 
> https://github.com/jasonish/py-idstools) or Pulled Pork 
> (https://github.com/shirkdog/pulledpork).
> 
> I like rulecat for Suricata rules since it is straightforward and 
> written in Python.
> 
> -David

There is now a new tool that is more or less a fork of idstools-rulecat, 
and a bit more opinionated at:

https://github.com/OISF/suricata-update

It has most of the features of idstools-rulecat but with some more 
things done by default, and a new YAML configuration file to be 
consistent with Suricata.

Any feedback would be appreciated.

Jason

> 
> On 10/30/2017 11:08 AM, dbogenre wrote:
>>
>> There are at least two other ways of which I'm aware you can use for 
>> rule management (full disclosure, I wrote one of them):
>>
>> Scirius (Scirius Community Edition is a web interface dedicated to 
>> Suricata ruleset management. It handles the rules file and update 
>> associated files.):
>>
>> https://github.com/StamusNetworks/scirius
>>
>> Mob-Boss (Github centric no frills rule management especially for 
>> clustered environments):
>>
>> https://github.com/codeweaver33/mob-boss
>>
>>
>> *Dillon Bogenreif*
>> University Information Security
>> University of Minnesota
>> dbogenre at umn.edu
>> 612-624-5762 (office)
>> GWAPT, GPEN
>> On 10/25/2017 02:52 PM, dev wrote:
>>> Hi,
>>> I usually update my rules with oinkmaster. I am getting errors[1] today
>>> becuase the "disablesid" lines in oinkmaster.conf are no longer in the
>>> downloaded ruleset.  I don't think Oinkmaster is a suricata project
>>> so I will forego asking about that here and rather ask:
>>>
>>> What is the best way to stay current to update rules for suricata ?
>>> Thanks
>>>
>>>
>>> [1]
>>> # oinkmaster -vC /etc/oinkmaster.conf -o /etc/suricata/rules
>>> ...
>>> Processing downloaded rules...
>>> disablesid 11, enablesid 0, modifysid 0, localsid 0, total rules 24093
>>> WARNING: attempt to use "disablesid" on non-existent SID 2522828
>>> ...
>>> WARNING: attempt to use "disablesid" on non-existent SID 2523106
>>> WARNING: attempt to use "disablesid" on non-existent SID 2522234
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list:oisf-users at openinfosecfoundation.org
>>> Site:http://suricata-ids.org  | Support:http://suricata-ids.org/support/
>>> List:https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference:https://suricon.net
>>> Trainings:https://suricata-ids.org/training/
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list:oisf-users at openinfosecfoundation.org
>> Site:http://suricata-ids.org  | Support:http://suricata-ids.org/support/
>> List:https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference:https://suricon.net
>> Trainings:https://suricata-ids.org/training/
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>

More information about the Oisf-users mailing list