Support #2804
closedBehavior old rules, during update
Description
Hi,
I need help to explain me.
I have Suricata in IDS mode, to update rules I use suricata-update module. > https://github.com/OISF/suricata-update
My rules is in one file suricata.rules
Let's assume that, I comment some rules, but systematic update, uncomment my rules.
How to prevent this?
Updated by Andreas Herz about 5 years ago
Can you be more verbose about what you want to achieve?
There is the possibility to enable/disable specific rules as well, see https://suricata.readthedocs.io/en/suricata-4.1.2/rule-management/suricata-update.html#controlling-which-rules-are-used
Updated by Jason Ish about 5 years ago
Dan X wrote:
Hi,
I need help to explain me.
I have Suricata in IDS mode, to update rules I use suricata-update module. > https://github.com/OISF/suricata-update
My rules is in one file suricata.rules
Let's assume that, I comment some rules, but systematic update, uncomment my rules.
How to prevent this?
It helps to think of the suricata-update generate rules file as compiler output. If you modify /var/lib/suricata/rules/suricata.rules, your changes will be overwritten the next time you run it.
Instead of editing that file directly, you'll want to add a disable.conf and add the SIDs, or regular expressions of the rules you want to disable. Rule modifications more advanced than simpley enabling/disabling can be done with the modify.conf.
Some of this is covered here: https://suricata-update.readthedocs.io/en/latest/update.html#rule-matching
But I realize some of this documentation was written with the idea that people had experience with Pulled Pork and/or Oinkmaster and migrating to suricata-update.
Updated by Dan X about 5 years ago
Ok. So if i want off some rules, i create file "/etc/suricata/disable.conf" and there i put rule ID which i want off, yes?
But, i must path "/etc/suricata/disable.conf" put in my suricata.yaml config? or other place?
Updated by Jason Ish about 5 years ago
Dan X wrote:
Ok. So if i want off some rules, i create file "/etc/suricata/disable.conf" and there i put rule ID which i want off, yes?
But, i must path "/etc/suricata/disable.conf" put in my suricata.yaml config? or other place?
Yes, in most basic installs you can just create the file /etc/suricata/disable.conf. That is all you should need, and suricata-update should pick it up. Do not add anything to your suricata.yaml.
If suricata-update does not appear to be picking up the disable.conf file, you can do something like:
suricata-update --disable-conf /etc/suricata/disable.conf
Updated by Dan X about 5 years ago
It's working. Thank you very much.
One more question. If i want modify some rule i must copy this rule, create new *.rules file and paste it and modify? Add add this orginal rule ID to disable.conf???
Ps thanks again ;)
Updated by Jason Ish about 5 years ago
Dan X wrote:
It's working. Thank you very much.
One more question. If i want modify some rule i must copy this rule, create new *.rules file and paste it and modify? Add add this orginal rule ID to disable.conf???
Ps thanks again ;)
If you can modify with a regular expression substitution, you can use a modify.conf. However, if it requires more than I would:
- Copy the rule into some file you control, "local.rules" perhaps.
- Give the rule a SID in your own custom range (10000000+ should do).
- Disable the rule you are replacing in your disable.conf
- Add the --local command line option and point it at your local.rules, ie: --local /etc/suricata/local.rules
Hope that helps.