[Oisf-users] suricata-update and path/files in config

[T F]

On Tue, Jan 16, 2018 at 9:40 PM, Jason Ish <ish at unx.ca> wrote:
> On 2018-01-13 10:54 AM, T F wrote:
>>
>> Hi list,
>>
>> I recently started using suricata-update, and I'm a bit unsure of how
>> this affects the configuration. As per the documentation [1], the
>> configuration file needs to be updated to reflect the path and file
>> created by suricata-update (which, also from the documentation, I
>> could understand it's all put in one single file, and management of
>> rules is done via disable.conf and enable.conf).
>>
>> "default-rule-path: /var/lib/suricata/rules
>>
>> rule-files:
>>    - suricata.rules"
>>
>> Does this mean that the configuration for the rules that depend on
>> /etc/suricata/rules can be removed? My objective is to rely only on
>> suricata-update, and from what I understood from the Github page for
>> suricata-update [2], if I'm not relying on /etc/suricata/rules, that
>> part of the configuration can be removed.
>
>
> So suricata-update is designed around the idea of moving away from the
> /etc/suricata/rules directory, but for now its used a source directory to
> suricata-update.

Makes sense. Thank you.

> When suricata-update is run it will check /etc/suricata/rules for the rule
> files that are known to ship with the suricata engine, these are the rule
> files that are found in the rules directory of the source.
>
> They are then merged into the other rules and included in
> /var/lib/suricata/rules/suricata.rules.

Since I didn't had any rules in /etc/suricata/rules is it possible
that suricata-update just download ET and OISF and created the file in
/var/lib/suricata/rules/? Suricata was still detecting based on this
file alone.

> At some point in the future I'd like to see these engine provided rules
> placed in /usr/share/suricata/rules or some other read-only location, then
> suricata-update will look there.
>
>>
>> AFAIK, when installing from repo, no files with rules are shipped, so
>> suricata will fail to load any of the files mentioned in the
>> configuration.
>
>
> There is "make install-full" which will install the rules and do an initial
> download of the ET/Open rules. Not really in a suricata-update compatible
> way, but all this is still a work in progress.

Are the rules shipped with the engine differ from the ET/Open OISF
sources of suricata-update?

> Hope that helps,
> Jason

It definitely does. Thank you for taking the time.

Tiago

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/