[Oisf-users] suricata-update and path/files in config

[Jason Ish]

On 2018-01-13 10:54 AM, T F wrote:
> Hi list,
> 
> I recently started using suricata-update, and I'm a bit unsure of how
> this affects the configuration. As per the documentation [1], the
> configuration file needs to be updated to reflect the path and file
> created by suricata-update (which, also from the documentation, I
> could understand it's all put in one single file, and management of
> rules is done via disable.conf and enable.conf).
> 
> "default-rule-path: /var/lib/suricata/rules
> 
> rule-files:
>    - suricata.rules"
> 
> Does this mean that the configuration for the rules that depend on
> /etc/suricata/rules can be removed? My objective is to rely only on
> suricata-update, and from what I understood from the Github page for
> suricata-update [2], if I'm not relying on /etc/suricata/rules, that
> part of the configuration can be removed.

So suricata-update is designed around the idea of moving away from the 
/etc/suricata/rules directory, but for now its used a source directory 
to suricata-update.

When suricata-update is run it will check /etc/suricata/rules for the 
rule files that are known to ship with the suricata engine, these are 
the rule files that are found in the rules directory of the source.

They are then merged into the other rules and included in 
/var/lib/suricata/rules/suricata.rules.

At some point in the future I'd like to see these engine provided rules 
placed in /usr/share/suricata/rules or some other read-only location, 
then suricata-update will look there.

> 
> AFAIK, when installing from repo, no files with rules are shipped, so
> suricata will fail to load any of the files mentioned in the
> configuration.

There is "make install-full" which will install the rules and do an 
initial download of the ET/Open rules. Not really in a suricata-update 
compatible way, but all this is still a work in progress.

Hope that helps,
Jason