[Oisf-users] Rule updates
Jason Ish
jason.ish at oisf.net
Thu Sep 26 15:13:50 UTC 2019
On 2019-09-26 8:12 a.m., David Decker wrote:
> All,
>
> I have a few off-line systems running in different location with limited
> bandwidth and would like to keep them all on the same rule sets.
>
> If I have a "master" for lack of better terms with tuned rule sets and
> newest rules, is it possible to just copy the /rules directory, or more
> files required?
>
> Would this be possible instead of having to send out the ET rules, VRT
> rules, custom rules to each for them to run suricata-update?
Yes. Its just files so you are pretty flexible to do what you want.
I've heard of use cases where suricata-update is used on one machine,
and the resulting /var/lib/suricata/rules/suricata.rules is then pushed
out to sensors with tools like Ansible, Salt, etc. Of course you could
just use scp, or whatever. Just remember to SIGUSR2, or use suricatasc
reload-rules to reload your rules after placing the new file in place.
Jason
More information about the Oisf-users
mailing list