[Oisf-users] Updating suricata rules
David Wharton
oisf at davidwharton.us
Mon Oct 30 15:49:23 UTC 2017
You can also use rulecat (part of py-idstools --
https://github.com/jasonish/py-idstools) or Pulled Pork
(https://github.com/shirkdog/pulledpork).
I like rulecat for Suricata rules since it is straightforward and
written in Python.
-David
On 10/30/2017 11:08 AM, dbogenre wrote:
>
> There are at least two other ways of which I'm aware you can use for
> rule management (full disclosure, I wrote one of them):
>
> Scirius (Scirius Community Edition is a web interface dedicated to
> Suricata ruleset management. It handles the rules file and update
> associated files.):
>
> https://github.com/StamusNetworks/scirius
>
> Mob-Boss (Github centric no frills rule management especially for
> clustered environments):
>
> https://github.com/codeweaver33/mob-boss
>
>
> *Dillon Bogenreif*
> University Information Security
> University of Minnesota
> dbogenre at umn.edu
> 612-624-5762 (office)
> GWAPT, GPEN
> On 10/25/2017 02:52 PM, dev wrote:
>> Hi,
>> I usually update my rules with oinkmaster. I am getting errors[1] today
>> becuase the "disablesid" lines in oinkmaster.conf are no longer in the
>> downloaded ruleset. I don't think Oinkmaster is a suricata project
>> so I will forego asking about that here and rather ask:
>>
>> What is the best way to stay current to update rules for suricata ?
>> Thanks
>>
>>
>> [1]
>> # oinkmaster -vC /etc/oinkmaster.conf -o /etc/suricata/rules
>> ...
>> Processing downloaded rules...
>> disablesid 11, enablesid 0, modifysid 0, localsid 0, total rules 24093
>> WARNING: attempt to use "disablesid" on non-existent SID 2522828
>> ...
>> WARNING: attempt to use "disablesid" on non-existent SID 2523106
>> WARNING: attempt to use "disablesid" on non-existent SID 2522234
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171030/270a37dd/attachment-0002.html>
More information about the Oisf-users
mailing list