[Oisf-users] Updating suricata rules

Jeff Dyke jeff.dyke at gmail.com
Mon Oct 30 15:44:09 UTC 2017 

I guess this begs the question, what is the canonical way, the docs for
suricata(
https://suricata.readthedocs.io/en/latest/rule-management/oinkmaster.html),
reccomend oinkmaster, which i am and find incredibly useful.

For the OP, those are warnings not errors, depending on the rule, you can
likely, and should, just remove it from your disablesid list.  I have run
into this before and have come to expect that some may get removed from
time to time, but does not happen often to me and will run just fine with
those warnings.  But given its security based I do clean them.

I like this version, oinkmaster, b/c i have multiple suricata installations
in multiple environments, so I update the rules on a Configuration MGMT
server (currently https://docs.saltstack.com/en/latest/), rule files
managed by git and then run a state via cron, or manually, that updates on
all the known nodes in the environment and runs suricatasc -c reload-rules

The main reason i chose this is that i use AWS and don't want to open
another web port to manage rules (there are other ways to get to a web ui i
realize), then i monitor the rule results in cloudwatch logs, which i've
also chosen for other security software that comes with web UIs.  FWIW, it
does look like a nice app!

Jeff

On Mon, Oct 30, 2017 at 11:08 AM, dbogenre <dbogenre at umn.edu> wrote:

> There are at least two other ways of which I'm aware you can use for rule
> management (full disclosure, I wrote one of them):
>
> Scirius (Scirius Community Edition is a web interface dedicated to
> Suricata ruleset management. It handles the rules file and update
> associated files.):
>
> https://github.com/StamusNetworks/scirius
>
> Mob-Boss (Github centric no frills rule management especially for
> clustered environments):
>
> https://github.com/codeweaver33/mob-boss
>
>
> *Dillon Bogenreif*
> University Information Security
> University of Minnesota
> dbogenre at umn.edu
> 612-624-5762 <(612)%20624-5762> (office)
> GWAPT, GPEN
> On 10/25/2017 02:52 PM, dev wrote:
>
> Hi,
> I usually update my rules with oinkmaster. I am getting errors[1] today
> becuase the "disablesid" lines in oinkmaster.conf are no longer in the
> downloaded ruleset.  I don't think Oinkmaster is a suricata project
> so I will forego asking about that here and rather ask:
>
> What is the best way to stay current to update rules for suricata ?
> Thanks
>
>
> [1]
> # oinkmaster -vC /etc/oinkmaster.conf -o /etc/suricata/rules
> ...
> Processing downloaded rules...
> disablesid 11, enablesid 0, modifysid 0, localsid 0, total rules 24093
> WARNING: attempt to use "disablesid" on non-existent SID 2522828
> ...
> WARNING: attempt to use "disablesid" on non-existent SID 2523106
> WARNING: attempt to use "disablesid" on non-existent SID 2522234
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171030/01d8a7e0/attachment-0002.html>

More information about the Oisf-users mailing list