Modified suricata-update utility. Offers the ability to insert rules into a database table. Works with modified suricata instance that reads rules from this database table.
Important steps include:
- Create database suricata.
- Configure mysql connection file: my.cnf
- Use special option in suricata-update like below:
`suricata-update --database --mysql-database /etc/suricata/my.cnf `
Rules load to the database, and are updated on newer revisions. Won't upset the enabled/disabled field in the database.
Requires python mysql connector to work:
`
sudo apt-get install python3-mysql.connector
`
Edit the my.cnf file in /etc/suricata/my.cnf
Make sure connection parameters are correct to your mysql server:
- by default it assumes localhost.
- by default it assumes port 5432
- create user with
`CREATE USER 'SURICATA'@'localhost' IDENTIFIED BY PASSWORD 'password';` - grant all permissions to the user
`GRANT ALL PRIVILEGES ON *.* TO 'SURICATA'@'localhost'; ` - use these permissions in the my.cnf file.
`
[client]
database = suricata
user = suricata
password = password
default-character-set = utf8
`
Get suricata instance that can load from database here: https://github.com/CosmoRied/suricata
All like origin branch...
suricata-update
The default invocation of suricata-update will perform the following:
- Read the configuration, /etc/suricata/update.yaml, if it exists.
- Read in the rule filter configuration files:
- /etc/suricata/disable.conf
- /etc/suricata/enable.conf
- /etc/suricata/drop.conf
- /etc/suricata/modify.conf
- Download the best version of the Emerging Threats Open ruleset for the version of Suricata found.
- Read in the rule files provided with the Suricata distribution from /etc/suricata/rules.
- Apply disable, enable, drop and modify filters.
- Resolve flowbits.
- Write the rules to /var/lib/suricata/rules/suricata.rules.
If you are not yet ready to use /var/lib/suricata/rules then you may be interested in the --output and --no-merge command line options.
The default Suricata configuration needs to be updated to find the rules in the new location.
Example suricata.yaml
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rulesOptionally -S /var/lib/suricata/rules/suricata.rules could be
provided on the Suricata command line.
This suricata-update tool is based around the idea
/etc/suricata should not be used for active rule management, but
instead as a location for more or less static configuration. Instead
/var/lib/suricata is used for rule management and
/etc/suricata/rules is used as a source for rule files provided by
the Suricata distribution.
/usr/share/suricata/rules- Used as a source of rules provided by the Suricata engine. If this
directory does not exist,
etc/suricata/ruleswill be used. /etc/suricata/update.yaml- The default location for the
suricata-updateconfiguration file. /etc/suricata/disable.conf- Default location for disable rule filters if not provided in the configuration file or command line.
/etc/suricata/enable.conf- Default location for enable rule filters if not provided in the configuration file or command line.
/etc/suricata/drop.conf- Default location for drop rule filters if not provided in the configuration file or command line.
/etc/suricata/modify.conf- Default location for modify rule filters if not provided in the configuration file or command line.
/var/lib/suricata/rules- The output directory for rules processed by the
suricata-updatetool. This directory is owned and managed bysuricata-updateand should not be touched by the user. /var/lib/suricata/rules/suricata.rulesThe default output filename for the rules processed by
suricata-update.This is a single file that contains all the rules from all input files and should be used by Suricata.
/var/lib/suricata/update/cache- Directory where downloaded rule files are cached here.
/var/lib/suricata/rules/cache/index.yaml- Cached copy of the rule source index.
/var/lib/suricata/update/sources- Configuration direction for sources enabled or added with
enable-sourceoradd-source.