-
Notifications
You must be signed in to change notification settings - Fork 2
Configuration Ruleset on GNU Linux
This manual provides a step-by-step guide to configure the julioliraup/Antiphishing ruleset using suricata-update via Command Line Interface (CLI) on GNU/Linux. Since this rule is natively included in the official index, you can activate it directly across any GNU/Linux distribution.
For ClearOS, consider the standard CentOS structure
Because the rule source is built straight into the index, you only need to trigger its activation using its native identifier.
Steps:
- Open a terminal emulator.
- Update the local index cache list to discover newly indexed rulesets.
- Enable the native
julioliraup/antiphishingsource feed.
# Update the local rule index index cache
sudo suricata-update update-sources
# Enable the natively indexed antiphishing ruleset source
sudo suricata-update enable-source julioliraup/antiphishingRunning the update engine parses your enabled sources, fetches the active signatures, and combines them into your deployment target file.
Steps:
- Run the update manager to fetch and compile the ruleset.
- The tool automatically generates the consolidated master file at
/var/lib/suricata/rules/suricata.rules.
# Fetch signatures and rebuild the unified ruleset file
sudo suricata-updateIf your environment utilizes standard paths, suricata.rules is already linked inside your profile. You just need to ensure the configuration reads this update folder.
Steps:
- Open your
suricata.yamlconfiguration matrix to confirm rule loading paths. - Ensure the active
rule-files:property targetssuricata.rules.
# Verify the configuration matches the automated update file path
sudo nano /etc/suricata/suricata.yaml
# Ensure your block maps correctly to the suricata-update output:
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rulesOnce configured, the Suricata engine needs to load the modified database profile into active memory. First, validate your syntax, then use the command matching your distribution's init system.
Steps:
- Test the internal text syntax configuration rules.
- Restart the background service process depending on your init system.
# ALWAYS TEST FIRST: Test the configuration profile syntax consistency
sudo suricata -T -c /etc/suricata/suricata.yaml -v
# FOR SYSTEMD (Ubuntu, Debian, Fedora, RHEL, Arch, etc.):
sudo systemctl restart suricata
# FOR OPENRC (Alpine Linux, Gentoo, Artix):
sudo rc-service suricata restart
# FOR SYSVINIT (Older Debian/Ubuntu, Devuan, MX Linux antiX):
sudo service suricata restart
# FOR RUNIT (Void Linux, AntiX Runit):
sudo sv restart suricataTest the detection engine by requesting a known malicious domain included in the list.
Steps:
- From the GNU/Linux machine, request a test string from the malicious domain database.
- Read the fast alert log output to find active signature matches.
# Trigger an HTTP request to an active phishing rule target
curl -I http://ww-brasilrodovias.click
# Inspect the live engine alerts log file for triggered events
sudo tail -f /var/log/suricata/fast.logNow just search for the SIDs in the panel julioliraup.github.io/AT. For random information security analysis in Portuguese, access julioliraup.github.io and long live free software!