Project

General

Profile

Actions

Feature #695

closed

Ubuntu PPA Doesn't Install Any Rules

Added by Kevin Harriss over 8 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

I just installed Suricata-stable from the Ubuntu PPA for 12.04 per the installation guide. When I installed the package it didn't install any rules. I am not sure if this is the correct behavior but the documentation doesn't give steps to installing the rules for a package install. Usually Ubuntu packages would install a rule set along with the package or have a separate package for the rules.

Kevin Harriss

Actions #1

Updated by Peter Manev over 8 years ago

  • Tracker changed from Bug to Feature
  • Priority changed from High to Normal

Hi Kevin,

This is not a bug.
It is true however that a small script (and/or during the time of installation/post-installation) downloading the rules set would be ideal.

However you could refer to this guide:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

or just download and untar the ruleset in a directory of your choosing (or yaml config setting) from here
http://rules.emergingthreats.net/open/suricata/

or if you prefer you can download and use a VRT ruleset.

It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated weekly or multiple times a week.

Thanks

Actions #2

Updated by Kevin Harriss over 8 years ago

Thanks for the quick response. I agree that if the recommend route is oinkmaster than this isn't a bug and a feature request. It might be a good idea to update the guide here:

[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-_Personal_Package_Archives_(PPA)]]

To include a section saying to setup up the rules follow the oinkmaster guide. Just my thought though.

Actions #3

Updated by Peter Manev over 8 years ago

I agree.
I updated the Basic Set up guide(link provided int the Ubuntu Installation - Personal Package Archives (PPA) ) with rule management info.

Thank you

Actions #4

Updated by Peter Manev almost 8 years ago

  • Assignee set to Peter Manev
Actions #5

Updated by Victor Julien almost 8 years ago

  • Target version set to TBD
Actions #6

Updated by Peter Manev about 7 years ago

  • % Done changed from 0 to 90

The current 2.0.2 Ubuntu PPA Launchpad package downloads and installs a full ET Open ruleset.

Actions #7

Updated by Victor Julien about 7 years ago

How does it install them? What happens if it encounters an existing ruleset?

Actions #8

Updated by Peter Manev about 7 years ago

It overrides.

It can be made to ask Y|N - but then that would mean that apt-get upgrade would stop and not continue until the user answers.

Actions #9

Updated by Victor Julien about 7 years ago

Hmm this not is how the packaging should behave. It needs to be non-interactive and it certainly shouldn't override and existing config/rulesetup.

I know that Debian has a separate package for rules (https://packages.debian.org/sid/snort-rules-default), but that is a not a good approach either. It lacks update capabilities. In general, data like rules shouldn't be in debs. It's too volatile and needs to be updated regularly (daily/weekly).

I really think the proper way would be to install oinkmaster/pulledpork with a tuned for suri default configuration. But this doesn't belong in the suricata ppa package though. We could consider offering such an oinkmaster or pulledpork package through our ppa, but thats another thing to maintain then.

Actions #10

Updated by Peter Manev about 7 years ago

Yes... I agree - this is a challenge.

Maybe we can download the rules in a sub dir of /etc/suricata/rules/ETOpen-date or something like this? (during upgrade/install)
That way we will not override any rules if such exist and there will be a rule-set to use if none is present.

Actions #11

Updated by Victor Julien over 6 years ago

  • Target version changed from TBD to Packaging/PPA
Actions #12

Updated by Peter Manev about 5 years ago

  • Status changed from New to Closed

The PPA package will try to download an ET open ruleset - if network connectivity is present - if not it will continue with the installation but not download any rules.
See - https://redmine.openinfosecfoundation.org/issues/1730

Actions

Also available in: Atom PDF