Suricata » Suricata-Update

Correct, these files are not created by default, but maybe its something we should consider. The documentation does contain samples though:

https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-files

You can also dump these samples to disk with the following command:

suricata-update --dump-sample-configs

Please note that the dumped update.yaml is an example, and is not suitable for use as-is. It will have to be updated before it can be used as a template that is installed by default.

So here when we run "suricata-update" from which location the disable.conf will be taken from current location of dumped files or from /etc/suricata/ or do we have to mention everytime the flag with disable.conf path like "suricata-update --disable-conf="path of file"".

Rahul Surya wrote:

So here when we run "suricata-update" from which location the disable.conf will be taken from current location of dumped files or from /etc/suricata/ or do we have to mention everytime the flag with disable.conf path like "suricata-update --disable-conf="path of file"".

It will by default look into /etc/suricata unless specified by the flag. You can use -v option to see which configuration is it picking up at the time of run.

Rahul Surya wrote:

Attached log file of suricata-update .I don't have any disabled conf file ,but i am not getting is how come some of logs showing that rules got disabled.From where the conf is reading.
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto dhcp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto tftp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto krb5
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto ntp
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto modbus
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto enip
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto dnp3
23/10/2019 -- 13:16:08 - <Info> -- Disabling rules with proto nfs

These are due to settings in your suricata configuration (/etc/suricata/suricata.yaml ?). This is disabling the application layer protocols that have not been enabled by suricata.

one more doubt while fetching files from suricata-update all rules are merged into one file suricata.rules file.Can it be made as seperate files like emerging-icmp.rules,emerging-tcp.rules etc.

Rahul Surya wrote:

one more doubt while fetching files from suricata-update all rules are merged into one file suricata.rules file.Can it be made as seperate files like emerging-icmp.rules,emerging-tcp.rules etc.

Yes, you could use the "--no-merge" option.

what i observed is , I am doing rule-reload by giving a flag to suricata-update . If i made a drop rule for icmp and running traffic and changed that rule to alert and did rule reload ,the current running traffic is still dropping but it should flow right.

I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.

Rahul Surya wrote:

I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.

Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:

suricata-update --disable-conf /path/to/disable.conf ...

Rahul Surya wrote:

I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.

Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:

suricata-update --disable-conf /path/to/disable.conf

Yeah I checked this one .For disabling or enabling my created own rule file, i am using the command like
suricata-update --local=<filename or directory>
without mentioning --local option its not working.

Jason Ish wrote:

Rahul Surya wrote:

I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.

Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:
[...]

Rahul Surya wrote:

Rahul Surya wrote:

I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.

Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:

suricata-update --disable-conf /path/to/disable.conf

Yeah I checked this one .For disabling or enabling my created own rule file, i am using the command like
suricata-update --local=<filename or directory>
without mentioning --local option its not working.

Jason Ish wrote:

Rahul Surya wrote:

I am trying to add signature id in disable.conf and signature id is my local rule file and its not getting disabled .Other rule files are getting disabled like emerging threats,ja3 signature what rule url suricata suggested.

Can you paste the contents of your disable.conf? Also try telling suricata-update about it config the command line in case its not being picked up by default, for example:
[...]

can u check this one,
I am doing rule-reload by giving a flag to suricata-update . If i made a drop rule for icmp and running traffic and changed that rule to alert and did rule reload ,the current running traffic is still dropping but it should flow right.

Hi Rahul!

Sorry about getting back late on this. Could you please give some more description? Preferably the rule that you're trying to work on, your disable.conf, the commands you are using and the procedure? We may be able to help you then.

Closing due to inactivity on this issue for a long time. Please create a new issue in case the problem persists.