[Oisf-users] suricata-update and path/files in config

Tiago Faria tiago.faria.backups at gmail.com
Fri Jan 19 19:03:26 UTC 2018


Thank you for that explanation Jason. Clear!

I would +1 the idea of having them available via download. There's
already the OISF source in suricata-update, so maybe even host them
there? Could possibly make the experience of people using the
pre-compiled packages easier (unless the rules are part of the package
and I didn't notice it).

Is there any alternative method to get the engine rules or is the
build argument you mentioned the recommend way?

Thank you!

On Fri, Jan 19, 2018 at 6:37 PM, Jason Ish <ish at unx.ca> wrote:
> On 2018-01-19 05:57 AM, T F wrote:
>>
>> On Tue, Jan 16, 2018 at 9:40 PM, Jason Ish <ish at unx.ca> wrote:
>>>
>>> On 2018-01-13 10:54 AM, T F wrote:
>>>>
>>>>
>>>> Hi list,
>>>>
>>>> I recently started using suricata-update, and I'm a bit unsure of how
>>>> this affects the configuration. As per the documentation [1], the
>>>> configuration file needs to be updated to reflect the path and file
>>>> created by suricata-update (which, also from the documentation, I
>>>> could understand it's all put in one single file, and management of
>>>> rules is done via disable.conf and enable.conf).
>>>>
>>>> "default-rule-path: /var/lib/suricata/rules
>>>>
>>>> rule-files:
>>>>     - suricata.rules"
>>>>
>>>> Does this mean that the configuration for the rules that depend on
>>>> /etc/suricata/rules can be removed? My objective is to rely only on
>>>> suricata-update, and from what I understood from the Github page for
>>>> suricata-update [2], if I'm not relying on /etc/suricata/rules, that
>>>> part of the configuration can be removed.
>>>
>>>
>>>
>>> So suricata-update is designed around the idea of moving away from the
>>> /etc/suricata/rules directory, but for now its used a source directory to
>>> suricata-update.
>>
>>
>> Makes sense. Thank you.
>>
>>> When suricata-update is run it will check /etc/suricata/rules for the
>>> rule
>>> files that are known to ship with the suricata engine, these are the rule
>>> files that are found in the rules directory of the source.
>>>
>>> They are then merged into the other rules and included in
>>> /var/lib/suricata/rules/suricata.rules.
>>
>>
>> Since I didn't had any rules in /etc/suricata/rules is it possible
>> that suricata-update just download ET and OISF and created the file in
>> /var/lib/suricata/rules/? Suricata was still detecting based on this
>> file alone.
>
>
> Suricata-update will still run fine without /etc/suricata/rules. You will
> miss the few rules that are included with the engine though. These rules are
> more related to protocol decode errors and not specific attacks.
>
> So without them present at /etc/suricata/rules, you will have just got the
> ET/Open rules, which don't depend on the engine included rules at all.
>
> I think an argument could be made to host the engine included rules online
> as well, and suricata-update could fetch them over the network if it can't
> find them locally.
>
> Jason
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



More information about the Oisf-users mailing list