Can I use suricata-update to update any rules?

CoolerAndy · February 8, 2022, 7:43am

Hi,

Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: ptresearch/attackdetection
  Vendor: Positive Technologies
  Summary: Positive Technologies Attack Detection Team ruleset
  License: Custom
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: sslbl/ssl-fp-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: Non-Commercial
Name: sslbl/ja3-fingerprints
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: Non-Commercial
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3

Can I use suricata-update to update rules excluded from suricata-update list-sources above? Such as URL haus rules from URLhaus | API.
If yes, how to update these rules? Do I need to download rulesets before update rules?

Jeff_Lucovsky · February 8, 2022, 3:17pm

The short answer is yes – suricata-update will do exactly that. Use enable-source for the rule sources and then run suricata-update

CoolerAndy · February 9, 2022, 6:05am

Hi, Jeff

I want to update some rules which excluded from suricata-update list-sources, I don’t think I can update these rules with enable-source if they are not listed.

ish · February 9, 2022, 6:34am

Try suricata-update add-source, it will prompt you for a name and a URL.

See: add-source - Add a source by URL — suricata-update 1.3.0dev0 documentation

CoolerAndy · February 9, 2022, 10:25am

Hi, Jeff

Thanks for your reply.

By following the documentation, I have already added and enabled my rules, but it showed error when I tried to suricata-update, did I miss something?

Jeff_Lucovsky · February 9, 2022, 1:27pm

See the response by @ish to add a source which can then be enabled.

CoolerAndy · February 10, 2022, 8:21am

Thanks Jeff,

It still shows “Source name not in index” although I have already added and enabled rule sources, really need help.

sbhardwaj · February 10, 2022, 1:24pm

Hi @CoolerAndy !
Thank you for reaching out. In any case, we shuld not have an exception traceback s this requires a bug report. Could you please submit a bug report on Overview - Suricata-Update - Open Information Security Foundation with the exact steps that you used to reach this traceback and the version of suricata-update you’re using? Perhaps, that can help us debug the issue you’re having too.
I’ll be happy to take a look into this for you.
Thank you very much!

CoolerAndy · February 11, 2022, 3:27am

Hi Shivani,

Thanks for your reply. I need to apologize I can’t find the “submit” button on Overview - Suricata-Update - Open Information Security Foundation, all I can do is to view descriptions of bugs. Anyway, my suricata-update version is 1.2.2 (rev: 9a44e83) (suricata version 4.1.4)and update steps are attached below

CoolerAndy · February 15, 2022, 11:14am

Hi, @sbhardwaj

Is there any follow-up solution or method for the bug report? Looking forward to your reply:)

ish · February 16, 2022, 4:45am

It looks like you did a sequence of events that created a source without a URL, so its looking to the index for the URL for that source, but it doesn’t exist in the index.

See if you can remove the source in question:

suricata-update remove-source feodotracker-botnet

Make sure suricata-update can run without issues.

Then try re-adding that ruleset with a command like:

suricata-update add-source feodotracker https://feodotracker.abuse.ch/downloads/feodotracker.rules

Topic		Replies	Views
Best ruleset for suricata Rules	1	7230	March 20, 2021
Suricata-update add custom source Help suricata-update , suricata	8	713	August 10, 2023
How and where to get new rules? Help	1	314	September 5, 2023
Suricata-Update - Use Only Local Rules Rules	2	1398	July 8, 2020
Suricata-update: some questions about the rules settings Rules suricata-update	4	355	October 8, 2023

Can I use suricata-update to update any rules?

Related Topics