Quick Start¶
Install Suricata Update¶
Note
If you have already installed Suricata 4.1 or newer you
likely already have Suricata-Update installed. Please check
if the suricata-update
command is available to you
before installing.
Suricata-Update is a tool written in Python and best installed with
the pip
tool for installing Python packages.
Pip can install suricata-update
globally making it available to
all users or it can install suricata-update
into your home
directory for use by your user.
Note
At some point suricata-update
should be bundled with
Suricata avoid the need for a separate installation.
To install suricata-update
globally:
pip install --upgrade suricata-update
or to install it to your own directory:
pip install --user --upgrade suricata-update
Note
When installing to your home directory the
suricata-update
program will be installed to
$HOME/.local/bin, so make sure this directory is in your
path:
export PATH=$HOME/.local/bin:$PATH
Directories and Permissions¶
In order for suricata-update
to function, the following
permissions are required:
- Directory /etc/suricata: read/write access
- Directory /var/lib/suricata/rules: read/write access
- Directory /var/lib/suricata/update: read/write access
One option is to simply run suricata-update
as root or with
sudo
.
Note
It is recommended to create a suricata
group and setup
the above directories with the correct permissions for
the suricata
group then add users to the suricata
group.
Steps to setup the above directories with the correct permissions:
First, create a group suricata
:
sudo groupadd suricata
Next, change the group of the directories and its files recursively:
sudo chgrp -R suricata /etc/suricata
sudo chgrp -R suricata /var/lib/suricata/rules
sudo chgrp -R suricata /var/lib/suricata/update
Note
The paths /etc/suricata
and /var/lib
above are used
in the default configuration and are dependent on paths set
during compilation. By default, these paths are set to
/usr/local
.
Please check your configuration for appropriate paths.
Setup the directories with the correct permissions for the suricata
group:
sudo chmod -R g+r /etc/suricata/
sudo chmod -R g+rw /var/lib/suricata/rules
sudo chmod -R g+rw /var/lib/suricata/update
Now, add user to the group:
sudo usermod -a -G suricata username
Verify whether group has been changed:
ls -al /etc/suricata
ls -al /var/lib/suricata/rules
ls -al /var/lib/suricata/update
Reboot your system. Run suricata-update
without a sudo to check
if suricata-update functions.
Update Your Rules¶
Without doing any configuration the default operation of
suricata-update
is to use the Emerging Threats Open ruleset.
Example:
suricata-update
This command will:
- Look for the
suricata
program on your path to determine its version. - Look for /etc/suricata/enable.conf, /etc/suricata/disable.conf, /etc/suricata/drop.conf, and /etc/suricata/modify.conf to look for filters to apply to the downloaded rules. These files are optional and do not need to exist.
- Download the Emerging Threats Open ruleset for your version of Suricata, defaulting to 4.0.0 if not found.
- Apply enable, disable, drop and modify filters as loaded above.
- Write out the rules to
/var/lib/suricata/rules/suricata.rules
. - Run Suricata in test mode on
/var/lib/suricata/rules/suricata.rules
.
Note
Suricata-Update is also capable of triggering a rule reload, but doing so requires some extra configuration that will be covered later.
Configure Suricata to Load Suricata-Update Managed Rules¶
Note
If suricata-update
was installed for you by Suricata,
then your Suricata configuration should already be setup to
work with Suricata-Update.
If upgrading from an older version of Suricata, or running a
development version that may not be bundled with Suricata-Update, you
will have to check that your suricata.yaml
is configured for
Suricata-Update. The main difference is the default-rule-path
which is /var/lib/suricata/rules
when using Suricata-Update.
You will want to update your suricata.yaml
to have the following:
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
If you have local rules you would like Suricata to load, these can be listed here as well by using the full path name.
Discover Other Available Rule Sources¶
First update the rule source index with the update-sources
command,
for example:
suricata-update update-sources
Then list the sources from the index. Example:
suricata-update list-sources
Now enable the ptresearch/attackdetection ruleset:
suricata-update enable-source ptresearch/attackdetection
And update your rules again:
suricata-update
List Enabled Sources¶
suricata-update list-sources --enabled
Disable a Source¶
suricata-update disable-source et/pro
Disabling a source keeps the source configuration but disables. This is useful when a source requires parameters such as a code that you don’t want to lose, which would happen if you removed a source.
Enabling a disabled source re-enables without prompting for user inputs.
Remove a Source¶
suricata-update remove-source et/pro
This removes the local configuration for this source. Re-enabling et/pro will requiring re-entering your access code.