I have an Ansible Role that:
- Reaches out to all the sensors in an inventory file and collect the version of Suricata running on them and build a version list.
- Run Suricata-update once for each unique version in the list and store the suricata.rules file in a folder with the version number.
- Then push the appropriate suricata.rules file to each sensor.
- Restart the Suricata service on each sensor.
One fact about the above approach is the ruleset will get pushed to each sensor and the service gets restarted even if the ruleset did not change.
However, I’m considering a different approach. Instead of configuring the central Suricata-update host to push the new rulesets, just have it store the new rulesets in a folder that is accessible via a URL. That would allow the remote sensors to run Suricata-update locally and pull the ruleset from the central Suricata-update host. It would use the built-in intelligence of Suricata-update to only restart the service if needed.
It would look like this. The central Suricata-update host would:
- Reach out to all the sensors in an inventory file and collect the version of Suricata running on them and build a version list. (You could skip this step with a manually configured list of versions)
- Run Suricata-update once for each unique version in the list and store the suricata.rules file in a folder with the version number. This would happen first, for example, a cron job would run a 1:00 AM (The folder would need to already be reachable via a unique URL)
- Each remote sensor would be configured to pull from a custom source with a URL that would point to the location the central Suricata-update host stores the rulesets.
- Each remote sensor would run Suricata-update with a cron job any time after 1:00 AM and pull the rulesets on their own.
If you want to look at the Ansible Role I have feel free. It’s main purpose is to manage Corelight Sensors that have Zeek and Suricata running on them. The physical appliances cannot run Suricata-update so I will still have to push the rulesets to them with an API (Corelight-client). The Corelight software sensors run on any Linux host so Suricata-update can easily be included.
https://github.com/corelight/Corelight-Ansible-Roles/tree/main/roles/suricata_update_config