suricata-update
[OPTIONS]
suricata-update
aims to be a simple to use rule download and management tool for Suricata.
-o, --output
The directory to output the rules to.
Default: /var/lib/suricata/rules
--force
Force remote rule files to be downloaded if they otherwise wouldn't be due to just recently downloaded, or the remote checksum matching the cached copy.
--merged=<filename>
Write a single file containing all rules. This can be used in addition to --output
or instead of --output
.
--no-merge
Do not merge the rules into a single rule file.
Warning: No attempt is made to resolve conflicts if 2 input rule files have the same name.
--yaml-fragment=<filename.yaml>
Output a fragment of YAML containing the rule-files section will all downloaded rule files listed for inclusion in your suricata.yaml.
--url=<url>
A URL to download rules from. This option can be used multiple times.
--local=<filename or directory>
A path to a filename or directory of local rule files to include.
If the path is a directory all files ending in .rules will be loaded.
Wildcards are accepted but to avoid shell expansion the argument must be quoted, for example:
--local '/etc/suricata/custom-*.rules'
This option can be specified multiple times.
--sid-msg-map=<filename>
Output a v1 style sid-msg.map file.
--sid-msg-map-2=<filename>
Output a v2 style sid-msg.map file.
--disable-conf=<disable.conf>
Specify the configuration file for disable filters.
See example-disable-conf
--enable-conf=<enable.conf>
Specify the configuration file for enable rules.
See example-enable-conf
--modify-conf=<modify.conf>
Specify the configuration file for rule modification filters.
See example-modify-conf
--drop-conf=<drop.conf>
Specify the configuration file for drop filters.
See example-drop-conf
--ignore=<pattern>
Filenames to ignore. This is a pattern that will be matched against the basename of a rule files.
This argument may be specified multiple times.
Default: *deleted.rules
Example:
--ignore dnp3-events.rules --ignore deleted.rules --ignore "modbus*"
Note
If specified the default value of *deleted.rules will no longer be used, so add it as an extra ignore if needed.
--no-ignore
Disable the --ignore option. Most useful to disable the default ignore pattern without adding others.
--etopen
Download the ET/Open ruleset.
This is the default action of no --url
options are provided or no sources are configured.
Use this option to enable the ET/Open ruleset in addition to any URLs provided on the command line or sources provided in the configuration.
--dump-sample-configs
Output sample configuration files for the --disable
, --enable
, --modify
and --threshold-in
commands.
--threshold-in=<threshold.conf.in>
Specify the threshold.conf input template.
--threshold-out=<threshold.conf>
Specify the name of the processed threshold.conf to output.
-T <command>, --test-command <command>
Specifies a custom test command to test the rules before reloading Suricata. This overrides the default command and can also be specified in the configuration file under test-command
.
--no-test
Disables the test command and proceed as if it had passed.
--reload-command=<command>
A command to run after the rules have been updated; will not run if no change to the output files was made. For example:
--reload-command='sudo kill -USR2 $(cat /var/run/suricata.pid)'
will tell Suricata to reload its rules.
--no-reload
Disable Suricata rule reload.
-V, --version
Display the version of suricata-update.
Matching rules for disabling, enabling, converting to drop or modification can be done with the following:
- signature ID
- regular expression
- rule group
- filename
A signature ID can be matched by just its signature ID, for example:
1034
The generator ID can also be used for compatibility with other tools:
1:1034
Regular expression matching will match a regular expression over the complete rule. Example:
re:heartbleed
re:MS(0[7-9]|10)-\d+
The group matcher matches against the group the rule was loaded from. Basically this is the filename without the leading path or file extension. Example:
group:emerging-icmp.rules
group:emerging-dos
Wild card matching similar to wildcards used in a Unix shell can also be used:
group:*deleted*
The filename matcher matches against the filename the rule was loaded from taking into consideration the full path. Shell wildcard patterns are allowed:
filename:rules/*deleted*
filename:*/emerging-dos.rules
Rule modification can be done with regular expression search and replace. The basic format for a rule modification specifier is:
<match> <from> <to>
where <match> is one of the rule matchers from above, <from> is the text to be replaced and <to> is the replacement text.
Example converting all alert rules to drop:
re:. ^alert drop
Example converting all drop rules with noalert back to alert:
re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2"
../suricata/update/configs/update.yaml
../suricata/update/configs/enable.conf
../suricata/update/configs/disable.conf
../suricata/update/configs/drop.conf
../suricata/update/configs/modify.conf