Quick Start

Install Suricata Update

Suricata-Update is bundled with all supported versions of Suricata and should be installed when Suricata is installed. Please check if suricata-update is already installed before proceeding with these installation directions, for example, the following command will tell you the version:

suricata-update -V

You should only need to install Suricata-Update manually if it is required independently of a Suricata install.

Suricata-Update is a tool written in Python and best installed with the pip tool for installing Python packages.

Pip can install suricata-update globally making it available to all users or it can install suricata-update into your home directory.

To install suricata-update globally:

pip install --upgrade suricata-update

or to install it to your own directory:

pip install --user --upgrade suricata-update

Pip can also be used to install the latest development version of Suricata-Update:

pip install --user --upgrade \
    https://github.com/oisf/suricata-update/archive/master.zip

Note

When installing to your home directory the suricata-update program will be installed to $HOME/.local/bin, so make sure this directory is in your path:

export PATH=$HOME/.local/bin:$PATH

Directories and Permissions

In order for suricata-update to function, the following permissions are required:

  • Directory /etc/suricata: read/write access

  • Directory /var/lib/suricata/rules: read/write access

  • Directory /var/lib/suricata/update: read/write access

One option is to simply run suricata-update as root or with sudo.

Note

It is recommended to create a suricata group and setup the above directories with the correct permissions for the suricata group then add users to the suricata group.

Steps to setup the above directories with the correct permissions:

First, create a group suricata:

sudo groupadd suricata

Next, change the group of the directories and its files recursively:

sudo chgrp -R suricata /etc/suricata
sudo chgrp -R suricata /var/lib/suricata/rules
sudo chgrp -R suricata /var/lib/suricata/update

Note

The paths /etc/suricata and /var/lib above are used in the default configuration and are dependent on paths set during compilation. By default, these paths are set to /usr/local. Please check your configuration for appropriate paths.

Setup the directories with the correct permissions for the suricata group:

sudo chmod -R g+r /etc/suricata/
sudo chmod -R g+rw /var/lib/suricata/rules
sudo chmod -R g+rw /var/lib/suricata/update

Now, add user to the group:

sudo usermod -a -G suricata username

Verify whether group has been changed:

ls -al /etc/suricata
ls -al /var/lib/suricata/rules
ls -al /var/lib/suricata/update

Reboot your system. Run suricata-update without a sudo to check if suricata-update functions.

Update Your Rules

Without doing any configuration the default operation of suricata-update is to use the Emerging Threats Open ruleset.

Example:

suricata-update

This command will:

  • Look for the suricata program on your path to determine its version.

  • Look for /etc/suricata/enable.conf, /etc/suricata/disable.conf, /etc/suricata/drop.conf, and /etc/suricata/modify.conf to look for filters to apply to the downloaded rules. These files are optional and do not need to exist.

  • Download the Emerging Threats Open ruleset for your version of Suricata, defaulting to 6.0.0 if not found.

  • Apply enable, disable, drop and modify filters as loaded above.

  • Write out the rules to /var/lib/suricata/rules/suricata.rules.

  • Run Suricata in test mode on /var/lib/suricata/rules/suricata.rules.

Note

Suricata-Update is also capable of triggering a rule reload, but doing so requires some extra configuration that will be covered later. See the documentation of --reload-command=<command> for more details.

Configure Suricata to Load Suricata-Update Managed Rules

Note

If suricata-update was installed for you by Suricata, then your Suricata configuration should already be setup to work with Suricata-Update.

If upgrading from an older version of Suricata, or running a development version that may not be bundled with Suricata-Update, you will have to check that your suricata.yaml is configured for Suricata-Update. The main difference is the default-rule-path which is /var/lib/suricata/rules when using Suricata-Update.

You will want to update your suricata.yaml to have the following:

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

If you have local rules you would like Suricata to load, these can be listed here as well by using the full path name.

Discover Other Available Rule Sources

First update the rule source index with the update-sources command, for example:

suricata-update update-sources

Then list the sources from the index. Example:

suricata-update list-sources

Now enable the ptresearch/attackdetection ruleset:

suricata-update enable-source ptresearch/attackdetection

And update your rules again:

suricata-update

List Enabled Sources

suricata-update list-sources --enabled

Disable a Source

suricata-update disable-source et/pro

Disabling a source keeps the source configuration but disables. This is useful when a source requires parameters such as a code that you don’t want to lose, which would happen if you removed a source.

Enabling a disabled source re-enables without prompting for user inputs.

Remove a Source

suricata-update remove-source et/pro

This removes the local configuration for this source. Re-enabling et/pro will requiring re-entering your access code.