Install Suricata Update¶
If you have already installed Suricata 4.1 or newer you
likely already have Suricata-Update installed. Please check
suricata-update command is available to you
Suricata-Update is a tool written in Python and best installed with
pip tool for installing Python packages.
Pip can install
suricata-update globally making it available to
all users or it can install
suricata-update into your home
directory for use by your user.
At some point
suricata-update should be bundled with
Suricata avoid the need for a separate installation.
pip install --upgrade suricata-update
or to install it to your own directory:
pip install --user --upgrade suricata-update
When installing to your home directory the
suricata-update program will be installed to
$HOME/.local/bin, so make sure this directory is in your
Directories and Permissions¶
In order for
suricata-update to function, the following
permissions are required:
- Directory /etc/suricata: read/write access
- Directory /var/lib/suricata/rules: read/write access
- Directory /var/lib/suricata/update: read/write access
One option is to simply run
suricata-update as root or with
It is recommended to create a
suricata group and setup
the above directories with the correct permissions for
suricata group then add users to the
Steps to setup the above directories with the correct permissions:
First, create a group
sudo groupadd suricata
Next, change the group of the directories and its files recursively:
sudo chgrp -R suricata /etc/suricata sudo chgrp -R suricata /var/lib/suricata/rules sudo chgrp -R suricata /var/lib/suricata/update
/var/lib above are used
in the default configuration and are dependent on paths set
during compilation. By default, these paths are set to
Please check your configuration for appropriate paths.
Setup the directories with the correct permissions for the
sudo chmod -R g+r /etc/suricata/ sudo chmod -R g+rw /var/lib/suricata/rules sudo chmod -R g+rw /var/lib/suricata/update
Now, add user to the group:
sudo usermod -a -G suricata username
Verify whether group has been changed:
ls -al /etc/suricata ls -al /var/lib/suricata/rules ls -al /var/lib/suricata/update
Reboot your system. Run
suricata-update without a sudo to check
if suricata-update functions.
Update Your Rules¶
Without doing any configuration the default operation of
suricata-update is to use the Emerging Threats Open ruleset.
This command will:
- Look for the
suricataprogram on your path to determine its version.
- Look for /etc/suricata/enable.conf, /etc/suricata/disable.conf, /etc/suricata/drop.conf, and /etc/suricata/modify.conf to look for filters to apply to the downloaded rules. These files are optional and do not need to exist.
- Download the Emerging Threats Open ruleset for your version of Suricata, defaulting to 4.0.0 if not found.
- Apply enable, disable, drop and modify filters as loaded above.
- Write out the rules to
- Run Suricata in test mode on
Suricata-Update is also capable of triggering a rule reload, but doing so requires some extra configuration that will be covered later. See the documentation of --reload-command=<command> for more details.
Configure Suricata to Load Suricata-Update Managed Rules¶
suricata-update was installed for you by Suricata,
then your Suricata configuration should already be setup to
work with Suricata-Update.
If upgrading from an older version of Suricata, or running a
development version that may not be bundled with Suricata-Update, you
will have to check that your
suricata.yaml is configured for
Suricata-Update. The main difference is the
/var/lib/suricata/rules when using Suricata-Update.
You will want to update your
suricata.yaml to have the following:
default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules
If you have local rules you would like Suricata to load, these can be listed here as well by using the full path name.
Discover Other Available Rule Sources¶
First update the rule source index with the
Then list the sources from the index. Example:
Now enable the ptresearch/attackdetection ruleset:
suricata-update enable-source ptresearch/attackdetection
And update your rules again:
List Enabled Sources¶
suricata-update list-sources --enabled
Disable a Source¶
suricata-update disable-source et/pro
Disabling a source keeps the source configuration but disables. This is useful when a source requires parameters such as a code that you don’t want to lose, which would happen if you removed a source.
Enabling a disabled source re-enables without prompting for user inputs.
Remove a Source¶
suricata-update remove-source et/pro
This removes the local configuration for this source. Re-enabling et/pro will requiring re-entering your access code.