Project

General

Profile

Actions

Documentation #4665

open

Update docs to include information about file* functionality

Added by Jascha Sticher over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi Everyone,

we deploy our own custom ruleset via suricata-update. We recently added filehashes and stumbled upon a curious quirk, that doesn't seem to be documented very well.

When deploying hashes-files with the *.tgz file, they are only put into /var/lib/suricata if they are also referenced by a rule.

I volunteer to update the documentation to reflect this behaviour, but I'm not sure on where the correct place inside the docs is.

Kind regards,

Jascha

Actions #1

Updated by Jason Ish over 2 years ago

Yeah, there isn't really a section that is suitable for this information right now. I think its less of a quirk than it may seem tho.

Suricata-Update ignores files it doesn't know what to do with.. Like the README that may be in some archives, or other random files that end up in these archive files. Hash lists are the same, until referenced by a rule, Suricata-Update doesn't know what the file is for so doesn't make any assumption.

Actions #2

Updated by Jascha Sticher over 2 years ago

I get that. This information alone would be helpful though.

As I see it, there isn't a section about the expected format of rule packages (and files that are automatically used like 'classification.conf') in general. I think that would be a good addition as a subsection in 'suricata-update - Update'.

Actions #3

Updated by Jason Ish over 2 years ago

  • Tracker changed from Bug to Documentation
  • Assignee changed from Shivani Bhardwaj to Jason Ish

I've been thinking of a doc section on guidelines for publishing a ruleset. It might not be the best location for this type of information, but its a better section than what we have now.

Actions

Also available in: Atom PDF