Install Suricata Update¶
If you have already installed Suricata 4.1 you likely
already have Suricata-Update installed. Please check if the
suricata-update command is available to you before
Suricata-Update is a tool written in Python and best installed with
pip tool for installing Python packages.
Pip can install
suricata-update globally making it available to
all users or it can install
suricata-update into your home
directory for use by your user.
At some point
suricata-update should be bundled with
Suricata avoid the need for a separate installation.
pip install --upgrade suricata-update
or to install it to your own directory:
pip install --user --upgrade suricata-update
When installing to your home directory the
suricata-update program will be installed to
$HOME/.local/bin, so make sure this directory is in your
Directories and Permissions¶
In order for
suricata-update to function, the following
permissions are required:
- Directory /etc/suricata: read/write access
- Directory /var/lib/suricata/rules: read/write access
- Directory /var/lib/suricata/update: read/write access
One option is to simply run
suricata-update as root or with
It is recommended to create a
suricata group and setup
the above directories with the correct permissions for
suricata group then add users to the
Steps to setup the above directories with the correct permissions:
First, create a group
sudo groupadd suricata
Next, change the group of the directories and its files recursively:
sudo chgrp -R suricata /etc/suricata sudo chgrp -R suricata /var/lib/suricata/rules sudo chgrp -R suricata /var/lib/suricata/update
/var/lib above are used
in the default configuration and are dependent on paths set
during compilation. By default, these paths are set to
Please check your configuration for appropriate paths.
Setup the directories with the correct permissions for the
sudo chmod -R g+r /etc/suricata/ sudo chmod -R g+rw /var/lib/suricata/rules sudo chmod -R g+rw /var/lib/suricata/update
Now, add user to the group:
sudo usermod -a -G suricata username
Verify whether group has been changed:
ls -al /etc/suricata ls -al /var/lib/suricata/rules ls -al /var/lib/suricata/update
Reboot your system. Run
suricata-update without a sudo to check
if suricata-update functions.
Update Your Rules¶
Without doing any configuration the default operation of
suricata-update is use the Emerging Threats Open ruleset.
This command will:
- Look for the
suricataprogram on your path to determine its version.
- Look for /etc/suricata/enable.conf, /etc/suricata/disable.conf, /etc/suricata/drop.conf, and /etc/suricata/modify.conf to look for filters to apply to the downloaded rules. These files are optional and do not need to exist.
- Download the Emerging Threats Open ruleset for your version of Suricata, defaulting to 4.0.0 if not found.
- Apply enable, disable, drop and modify filters as loaded above.
- Write out the rules to
- Run Suricata in test mode on
Suricata-Update is also capable of triggering a rule reload, but doing so requires some extra configuration that will be covered later.
Configure Suricata to Load Suricata-Update Managed Rules¶
Suricata-Update takes a different convention to rule files than
Suricata traditionally has. The most noticeable difference is that the
rules are stored by default in
One way to load the rules is to the the
-S Suricata command line
option. The other is to update your
suricata.yaml to look
default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules
In the future we expect Suricata to use this new convention by default.
Discover Other Available Rule Sources¶
First update the rule source index with the
Then list the sources from the index. Example:
Now enable the ptresearch/attackdetection ruleset:
suricata-update enable-source ptresearch/attackdetection
And update your rules again:
List Enabled Sources¶
Disable a Source¶
suricata-update disable-source et/pro
Disabling a source keeps the source configuration but disables. This is useful when a source requires parameters such as a code that you don’t want to lose, which would happen if you removed a source.
Enabling a disabled source re-enables without prompting for user inputs.
Remove a Source¶
suricata-update remove-source et/pro
This removes the local configuration for this source. Re-enabling et/pro will requiring re-entering your access code.