Adding Suricata custom rules from external tools



  • After reading through lots of discussions like:

    it seems that adding "custom rules" to Suricata is still a quite complicated process when you need to go beyond the prepared basic "GUI input textbox".

    My need to add custom rules raised from using the "textbox" to something more "scriptable" when I started trying to implement an integration of Suricata with the Incident Response Tools "MISP" and "The Hive" via their Python APIs.

    By linking both "worlds" I expect improvements and ease of use for publishing and activating of new rulesets based on the shared threat data from the MISP / The Hive tools.

    Programming something on my own is possible not really straight forward.
    Especially when it comes to points like "package updates" etc.

    My question is now:

    • What is the recommended way to trigger an implementation like this?
    • Is there an Github repo where I can place a feature request (e.g. @bmeeks Suricata fork?)?

    Thanks a lot in advance,

    Michl



  • The Suricata GUI package on pfSense is designed to make the deployment of an IDS/IPS somewhat simpler for users new to such technology. If you are at an advanced level where you want to integrate with multiple other systems and construct on-the-fly rules using script tools, then you really should abandon the GUI part of the package and simply use the Suricata binary itself. You can do that by simply installing Suricata from FreeBSD ports. You are going to have to install all of the other scripting language dependencies from there anyway.

    I am not in favor of loading up the Suricata package with a ton of new dependencies when the vast majority of users would likely not need them for a basic IDS/IPS. I'm talking about things like Python, Go, (and heaven forbid one old suggestion even needed Java! Can you imagine the security holes your firewall would have with Java installed on it?).

    There is a Github site for all of the pfSense packages here. You are free to submit pull requests there. I usally am asked for my opinion, but the pfSense developers have final say in what is accepted into the package.