Suricata auto update for custom rules?



  • Hi all
    I have installed suricata,
    now i want to use the SSL blacklist for suricata from abuse.ch ( https://sslbl.abuse.ch/blacklist/sslblacklist.rules )
    I can put this with a copy/paste in the wan/rules->custom.rules to make it working…but there is a way to make updates automatic like ET or VRT?
    can i make a cronjob to download that .rules in /usr/pbi/suricata-amd64/etc/suricata/suricata_41488_re1/rules/custom.rules? then how can i tell to suricato to automaticaly reload the rules? (or it will reload it when there is ET or VRT update?)

    Thanks in advance



  • They are covered in ET Trojan Rules. Have a look.

    F.



  • @jackyes89:

    Hi all

    …can i make a cronjob to download that .rules in /usr/pbi/suricata-amd64/etc/suricata/suricata_41488_re1/rules/custom.rules? then how can i tell to suricato to automaticaly reload the rules? (or it will reload it when there is ET or VRT update?)

    Thanks in advance

    Yes, you could use a cron task to download that file and save it as the custom.rules file you referenced.  You can then tell Suricata to reload the rules in your cron task.

    Suricata will do what's called a Live Rule Reload if you send it the signal USR2 like this:

    [/
    
    /bin/pkill -USR2 suricata
    
    [/code]
    
    This will cause all Suricata processes to re-read the rules files configured in their respective [i]suricata.yaml[/i] file.
    
    There is one big caveat here, though.  Suricata will overwrite your [i]custom.rules[/i] file the next time it is restarted or if the ET or VRT rules update.  This is because Suricata builds that [i]custom.rules[/i] file from contents stored in the config.xml file.  Here is a slightly better way:
    
    1.  Save your downloaded rules to a file with a different name but in the same path as the [i]custom.rules[/i] file.
    
    2.  Hand-edit the file [b]/usr/local/pkg/suricata/suricata_yaml_template.inc[/b].  Find this section of the file and edit it like this:
    
    [b]As-Found[/b]
    [code]
    
    default-rule-path: {$suricatacfgdir}/rules
    rule-files:
     - {$rules_files}
    
    [/code]
    
    [b]After-Edit[/b]
    [code]
    
    default-rule-path: {$suricatacfgdir}/rules
    rule-files:
     - {$rules_files}
     - myrules.rules
    
    [/code]
    
    You can substitute the actual name for your SSL rules files where I used "myrules.rules".  This edits the template Suricata uses to write the suricata.yaml file, so every time it rebuilds the suricata.yaml for an interface it will include your custom file.  If you run Suricata on multiple interfaces, then you will need to put an empty file with the same name in your other Suricata directories.  If you don't, when their YAML config file is created from the template, they will try to read the "myrules.rules" file, won't be able to find it in their directory, and will error out.
    
    Bill
    
    


  • Thanks!!! ;D



  • Oh…and one other small point.  Each time you update the Suricata package (or it gets reinstalled as part of a pfSense update), you will need to repeat the hand-edit of that /usr/local/pkg/suricata/suricata_yaml_template.inc file because it will be overwritten when Suricata is reinstalled.

    Bill


Log in to reply