We have been using Suricata for our IDS needs thus far and it has worked wonderfully. However, we are trying to generate an automated process to filter, gather, and implement new rules from “emerging threats”. I’m assuming the automated process is going to run into many errors once it has to begin sorting the rules into the proper directories under suricata.rules. I was curious if we were able to remove all of the different directories (dns.rules, http.rules, malware.rules …etc.) and create a single mass directory containing all of the rules. Or move all of the existing rules into a single directory under suricata.rules.
Would this cause errors? I’m under the impression that it wouldn’t matter, but I wanted to verify before bringing it up to our development teams.
Emerging Threats/Proofpoint rule distribution does have multiple rule files; the Suricata configuration has a section where you can list the individual files explicitly (note: you can also use a glob). This is documented at 10.1. Suricata.yaml — Suricata 7.0.0-rc2-dev documentation
default-rule-path: /usr/local/etc/suricata/rules rule-files: - dns.rules - malware.rules
Perfect, thank you very much