Quick Start

Install Suricata Update

Suricata-Update is a tool written in Python and best installed with the pip tool for installing Python packages.

Pip can install suricata-update globally making it available to all users or it can install suricata-update into your home directory for use by your user.

Note

At some point suricata-update should be bundled with Suricata avoid the need for a separate installation.

To install suricata-update globally:

pip install --pre --upgrade suricata-update

or to install it to your own directory:

pip install --user --pre --upgrade suricata-update

Note

When installing to your home directory the suricata-update program will be installed to $HOME/.local/bin, so make sure this directory is in your path:

export PATH=$HOME/.local/bin:$PATH

Directories and Permissions

In order for suricata-update to function, the following permissions are required:

  • Directory /etc/suricata: read access
  • Directory /var/lib/suricata/rules: read/write access
  • Directory /var/lib/suricata/update: read/write access

One option is to simply run suricata-update as root or with sudo.

Note

It is recommended to create a suricata group and setup the above directories with the correction permissions for the suricata group then add users to the suricata group.

More documentation will be provided about this, including a tool to verify and maybe setup the permissions.

Update Your Rules

Without doing any configuration the default operation of suricata-update is use the Emerging Threats Open ruleset.

Example:

suricata-update

This command will:

  • Look for the suricata program on your path to determine its version.
  • Look for /etc/suricata/enable.conf, /etc/suricata/disable.conf, /etc/suricata/drop.conf, and /etc/suricata/modify.conf to look for filters to apply to the downloaded rules. These files are optional and do not need to exist.
  • Download the Emerging Threats Open ruleset for your version of Suricata, defaulting to 4.0.0 if not found.
  • Apply enable, disable, drop and modify filters as loaded above.
  • Write out the rules to /var/lib/suricata/rules/suricata.rules.
  • Run Suricata in test mode on /var/lib/suricata/rules/suricata.rules.

Note

Suricata-Update is also capable of triggering a rule reload, but doing so requires some extra configuration that will be covered later.

Configure Suricata to Load Suricata-Update Managed Rules

Suricata-Update takes a different convention to rule files than Suricata traditionally has. The most noticeable difference is that the rules are stored by default in /var/lib/suricata/rules/suricata.rules.

One way to load the rules is to the the -S Suricata command line option. The other is to update your suricata.yaml to look something like:

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

Note

In the future we expect Suricata to use this new convention by default.

Discover Other Available Rule Sources

First update the rule source index with the update-sources command, for example:

suricata-update update-sources

Then list the sources from the index. Example:

suricata-update list-sources

Now enable the ptresearch/attackdetection ruleset:

suricata-update enable-source ptresearch/attackdetection

And update your rules again:

suricata-update

List Enabled Sources

suricata-update list-enabled-sources

Disable a Source

suricata-update disable-source et/pro

Disabling a source keeps the source configuration but disables. This is useful when a source requires parameters such as a code that you don’t want to lose, which would happen if you removed a source.

Enabling a disabled source re-enables without prompting for user inputs.

Remove a Source

suricata-update remove-source et/pro

This removes the local configuration for this source. Re-enabling et/pro will requiring re-entering your access code.