Project

General

Profile

Support #2804

Behavior old rules, during update

Added by Dan X 6 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
I need help to explain me.
I have Suricata in IDS mode, to update rules I use suricata-update module. > https://github.com/OISF/suricata-update
My rules is in one file suricata.rules
Let's assume that, I comment some rules, but systematic update, uncomment my rules.
How to prevent this?

History

#1

Updated by Andreas Herz 6 months ago

Can you be more verbose about what you want to achieve?

There is the possibility to enable/disable specific rules as well, see https://suricata.readthedocs.io/en/suricata-4.1.2/rule-management/suricata-update.html#controlling-which-rules-are-used

#2

Updated by Jason Ish 6 months ago

Dan X wrote:

Hi,
I need help to explain me.
I have Suricata in IDS mode, to update rules I use suricata-update module. > https://github.com/OISF/suricata-update
My rules is in one file suricata.rules
Let's assume that, I comment some rules, but systematic update, uncomment my rules.
How to prevent this?

It helps to think of the suricata-update generate rules file as compiler output. If you modify /var/lib/suricata/rules/suricata.rules, your changes will be overwritten the next time you run it.

Instead of editing that file directly, you'll want to add a disable.conf and add the SIDs, or regular expressions of the rules you want to disable. Rule modifications more advanced than simpley enabling/disabling can be done with the modify.conf.

Some of this is covered here: https://suricata-update.readthedocs.io/en/latest/update.html#rule-matching

But I realize some of this documentation was written with the idea that people had experience with Pulled Pork and/or Oinkmaster and migrating to suricata-update.

#3

Updated by Dan X 6 months ago

Ok. So if i want off some rules, i create file "/etc/suricata/disable.conf" and there i put rule ID which i want off, yes?
But, i must path "/etc/suricata/disable.conf" put in my suricata.yaml config? or other place?

#4

Updated by Jason Ish 6 months ago

Dan X wrote:

Ok. So if i want off some rules, i create file "/etc/suricata/disable.conf" and there i put rule ID which i want off, yes?
But, i must path "/etc/suricata/disable.conf" put in my suricata.yaml config? or other place?

Yes, in most basic installs you can just create the file /etc/suricata/disable.conf. That is all you should need, and suricata-update should pick it up. Do not add anything to your suricata.yaml.

If suricata-update does not appear to be picking up the disable.conf file, you can do something like:

suricata-update --disable-conf /etc/suricata/disable.conf

#5

Updated by Dan X 6 months ago

It's working. Thank you very much.

One more question. If i want modify some rule i must copy this rule, create new *.rules file and paste it and modify? Add add this orginal rule ID to disable.conf???

Ps thanks again ;)

#6

Updated by Jason Ish 6 months ago

Dan X wrote:

It's working. Thank you very much.

One more question. If i want modify some rule i must copy this rule, create new *.rules file and paste it and modify? Add add this orginal rule ID to disable.conf???

Ps thanks again ;)

If you can modify with a regular expression substitution, you can use a modify.conf. However, if it requires more than I would:
- Copy the rule into some file you control, "local.rules" perhaps.
- Give the rule a SID in your own custom range (10000000+ should do).
- Disable the rule you are replacing in your disable.conf
- Add the --local command line option and point it at your local.rules, ie: --local /etc/suricata/local.rules

Hope that helps.

#7

Updated by Shivani Bhardwaj 5 months ago

  • Status changed from New to Closed

Also available in: Atom PDF