[Oisf-users] suricata-update and path/files in config

Jason Ish ish at unx.ca
Fri Jan 19 18:37:37 UTC 2018


On 2018-01-19 05:57 AM, T F wrote:
> On Tue, Jan 16, 2018 at 9:40 PM, Jason Ish <ish at unx.ca> wrote:
>> On 2018-01-13 10:54 AM, T F wrote:
>>>
>>> Hi list,
>>>
>>> I recently started using suricata-update, and I'm a bit unsure of how
>>> this affects the configuration. As per the documentation [1], the
>>> configuration file needs to be updated to reflect the path and file
>>> created by suricata-update (which, also from the documentation, I
>>> could understand it's all put in one single file, and management of
>>> rules is done via disable.conf and enable.conf).
>>>
>>> "default-rule-path: /var/lib/suricata/rules
>>>
>>> rule-files:
>>>     - suricata.rules"
>>>
>>> Does this mean that the configuration for the rules that depend on
>>> /etc/suricata/rules can be removed? My objective is to rely only on
>>> suricata-update, and from what I understood from the Github page for
>>> suricata-update [2], if I'm not relying on /etc/suricata/rules, that
>>> part of the configuration can be removed.
>>
>>
>> So suricata-update is designed around the idea of moving away from the
>> /etc/suricata/rules directory, but for now its used a source directory to
>> suricata-update.
> 
> Makes sense. Thank you.
> 
>> When suricata-update is run it will check /etc/suricata/rules for the rule
>> files that are known to ship with the suricata engine, these are the rule
>> files that are found in the rules directory of the source.
>>
>> They are then merged into the other rules and included in
>> /var/lib/suricata/rules/suricata.rules.
> 
> Since I didn't had any rules in /etc/suricata/rules is it possible
> that suricata-update just download ET and OISF and created the file in
> /var/lib/suricata/rules/? Suricata was still detecting based on this
> file alone.

Suricata-update will still run fine without /etc/suricata/rules. You 
will miss the few rules that are included with the engine though. These 
rules are more related to protocol decode errors and not specific attacks.

So without them present at /etc/suricata/rules, you will have just got 
the ET/Open rules, which don't depend on the engine included rules at all.

I think an argument could be made to host the engine included rules 
online as well, and suricata-update could fetch them over the network if 
it can't find them locally.

Jason



More information about the Oisf-users mailing list