The tool for updating your Suricata rules.
pip install --upgrade suricata-update
The default invocation of
suricata-update will perform the following:
- Read the configuration, /etc/suricata/update.yaml, if it exists.
- Read in the rule filter configuration files:
- Download the best version of the Emerging Threats Open ruleset for the version of Suricata found.
- Read in the rule files provided with the Suricata distribution from /etc/suricata/rules.
- Apply disable, enable, drop and modify filters.
- Resolve flowbits.
- Write the rules to /var/lib/suricata/rules/suricata.rules.
The default Suricata configuration needs to be updated to find the rules in the new location.
default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules
-S /var/lib/suricata/rules/suricata.rules could be
provided on the Suricata command line.
suricata-update tool is based around the idea
/etc/suricata should not be used for active rule management, but
instead as a location for more or less static configuration. Instead
/var/lib/suricata is used for rule management and
/etc/suricata/rules is used as a source for rule files provided by
the Suricata distribution.
Files and Directories
- Used as a source of rules provided by the Suricata engine. If this
directory does not exist,
etc/suricata/ruleswill be used.
- The default location for the
- Default location for disable rule filters if not provided in the configuration file or command line.
- Default location for enable rule filters if not provided in the configuration file or command line.
- Default location for drop rule filters if not provided in the configuration file or command line.
- Default location for modify rule filters if not provided in the configuration file or command line.
- The output directory for rules processed by the
suricata-updatetool. This directory is owned and managed by
suricata-updateand should not be touched by the user.
The default output filename for the rules processed by
This is a single file that contains all the rules from all input files and should be used by Suricata.
- Directory where downloaded rule files are cached here.
- Cached copy of the rule source index.
- Configuration direction for sources enabled or added with