The tool for updating your Suricata rules.
pip install --pre --upgrade suricata-update
The default invocation of
suricata-update will perform the following:
- Read the configuration, /etc/suricata/update.yaml, if it exists.
- Read in the rule filter configuration files:
- Download the best version of the Emerging Threats Open ruleset for the version of Suricata found.
- Read in the rule files provided with the Suricata distribution from /etc/suricata/rules.
- Apply disable, enable, drop and modify filters.
- Resolve flowbits.
- Write the rules to /var/lib/suricata/rules/suricata.rules.
The default Suricata configuration needs to be updated to find the rules in the new location.
default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules
-S /var/lib/suricata/rules/suricata.rules could be
provided on the Suricata command line.
suricata-update tool is based around the idea
/etc/suricata should not be used for active rule management, but
instead as a location for more or less static configuration. Instead
/var/lib/suricata is used for rule management and
/etc/suricata/rules is used as a source for rule files provided by
the Suricata distribution.
Files and Directories
Used as a source of rules provided by the Suricata distribution.
Currently only filenames that are known to come with the Suricata source distribution are pulled to handle the case where user provided rule files may exist in this directory.
In the future a directory like
/usr/share/suricata/rulesmay be used.
- The default location for the
- Default location for disable rule filters if not provided in the configuration file or command line.
- Default location for enable rule filters if not provided in the configuration file or command line.
- Default location for drop rule filters if not provided in the configuration file or command line.
- Default location for modify rule filters if not provided in the configuration file or command line.
- The output directory for rules processed by the
suricata-updatetool. This directory is owned and managed by
suricata-updateand should not be touched by the user.
The default output filename for the rules processed by
This is a single file that contains all the rules from all input files and should be used by Suricata.
- Directory where downloaded rule files are cached here.
- Cached copy of the rule source index.
- Configuration direction for sources enabled or added with