[Oisf-users] About suricata-update tool

C. L. Martinez carlopmart at gmail.com
Wed Apr 11 13:54:23 UTC 2018 

Thanks Jason ... I have done some tests and it is working ... There is only
an "error":

+ /root/bin/suricata-update -D /opt/suricata/ids01/data -c
/opt/suricata/ids01/update.yaml -o /opt/suricata/ids01/rules --no-test
11/4/2018 -- 13:40:37 - <Info> -- Loading /opt/suricata/ids01/update.yaml
11/4/2018 -- 13:40:37 - <Warning> -- No suricata application binary found
on path.
11/4/2018 -- 13:40:37 - <Info> -- Using default Suricata version of 4.0.0
11/4/2018 -- 13:40:37 - <Info> -- Using user-agent: Mozilla/5.0 (Windows NT
10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0.
11/4/2018 -- 13:40:37 - <Info> -- Loading /opt/suricata/ids01/disable.conf.
11/4/2018 -- 13:40:37 - <Info> -- Loading /opt/suricata/ids01/enable.conf.
11/4/2018 -- 13:40:37 - <Info> -- Loading /opt/suricata/ids01/modify.conf.
11/4/2018 -- 13:40:37 - <Info> -- Loading /opt/suricata/ids01/drop.conf.
11/4/2018 -- 13:40:37 - <Info> -- Fetching
https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz.
11/4/2018 -- 13:40:40 - <Info> -- Done.
11/4/2018 -- 13:40:40 - <Info> -- Fetching
https://sslbl.abuse.ch/blacklist/sslblacklist.rules.
11/4/2018 -- 13:40:41 - <Info> -- Done.
11/4/2018 -- 13:40:41 - <Info> -- Fetching
https://feodotracker.abuse.ch/blocklist/?download=suricata.
11/4/2018 -- 13:40:43 - <Info> -- Done.
11/4/2018 -- 13:40:43 - <Info> -- Loading local file
/opt/suricata/common/rules/dns-events.rules
11/4/2018 -- 13:40:43 - <Info> -- Loading local file
/opt/suricata/common/rules/http-events.rules
11/4/2018 -- 13:40:43 - <Info> -- Loading local file
/opt/suricata/common/rules/tls-events.rules
11/4/2018 -- 13:40:43 - <Info> -- Loading local file
/opt/suricata/ids01/local.rules
11/4/2018 -- 13:40:43 - <Warning> -- Distribution rule directory not found:
/etc/suricata/rules
11/4/2018 -- 13:40:43 - <Info> -- Ignoring file rules/emerging-deleted.rules
11/4/2018 -- 13:40:46 - <Info> -- Loaded 25762 rules.
11/4/2018 -- 13:40:56 - <Info> -- Disabled 7924 rules.
11/4/2018 -- 13:40:56 - <Info> -- Enabled 0 rules.
11/4/2018 -- 13:40:56 - <Info> -- Modified 0 rules.
11/4/2018 -- 13:40:56 - <Info> -- Dropped 0 rules.
11/4/2018 -- 13:40:56 - <Info> -- Enabled 98 rules for flowbit dependencies.
11/4/2018 -- 13:40:56 - <Info> -- Backing up current rules.
11/4/2018 -- 13:40:56 - <Info> -- Writing rules to
/opt/suricata/ids01/rules/suricata.rules: total: 25762; enabled: 13227;
added: 25762; removed 0; modified: 0
11/4/2018 -- 13:40:57 - <Info> -- No suricata application binary found,
skipping test.
11/4/2018 -- 13:40:57 - <Info> -- Done.

 As you can see I have specified out directory with " -o
/opt/suricata/ids01/rules" option, but suricata-update returns:

11/4/2018 -- 13:40:43 - <Warning> -- Distribution rule directory not found:
/etc/suricata/rules

 Any idea why?


On Tue, Apr 10, 2018 at 6:03 PM, Jason Ish <ish at unx.ca> wrote:

> On Tue, Apr 10, 2018 at 6:56 AM, C. L. Martinez <carlopmart at gmail.com>
> wrote:
>
>> Hi all,
>>
>>  Why suricata is a requirement to run suricata-udpate? Is it not possible
>> to use it standalone? For example, if you need to update rules for serveral
>> suricata sensors, do I need to install suricata-update in every one? Is it
>> not possible to use a "central server" to update all suricata nodes?...
>>
>>
> Suircata-update should work fine without Suricata being installed. If its
> not, please provide more detail as what is going wrong. It could be
> something that is fixed in git-master but hasn't been released yet.
>
> With Suricata installed you get a few "helper" features that you may not
> want if distributing the resulting rules anyways. These include:
>
> - Rules that you do not have the app-layer enabled for will be disabled.
> This prevents a warning on Suricata startup (or fatal error if
> --init-errors-fatal is set).
> - Rule URLs that use a Suricata version will have the version
> automatically set (you can use the --suricata-version option).
> - Vars used in rules will be verifiid against the suricata.yaml.
>
> Jason
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180411/8ca1bb63/attachment.html>

More information about the Oisf-users mailing list