Couple of questions about suricata-update

1

Hello,

In implementation of suricata-update I see following two things which I have question about:

  1. If I don’t enable any source, I get following message “No sources configured, will use Emerging Threats Open”. Why is that?
  2. In “def load_dist_rules(files)”, I see following code:

    # In the future hopefully we can just pull in all files from
    # /usr/share/suricata/rules, but for now pull in the set of files
    # known to have been provided by the Suricata source.
    filenames = [
        "app-layer-events.rules",
        "decoder-events.rules",
        "dhcp-events.rules",
        "dnp3-events.rules",
        "dns-events.rules",
        "files.rules",
        "http-events.rules",
        "ipsec-events.rules",
        "kerberos-events.rules",
        "modbus-events.rules",
        "nfs-events.rules",
        "ntp-events.rules",
        "smb-events.rules",
        "smtp-events.rules",
        "stream-events.rules",
        "tls-events.rules",
    ]

The downside of this code is, even if I enable mqtt and ssh, suricata provided rule files, /usr/share/suricata/rules/ssh-events.rules and /usr/share/suricata/rules/mqtt-events.rules respectively, won’t get loaded.

Why is the implementation does not consider mqtt and ssh distribution provided rule files?

Thanks in advance!

2

  1. Prior to Suricata-Update, Suricata defaulted to using the ET/open ruleset via curl or wget. This more or less keeps that behavior of supplying the user with an ET/open ruleset when no other rules have been configured.

  2. Sorry, that’s an issue, I created a ticket: Bug #6932: missing engine rules: ssh, mqtt - Suricata-Update - Open Information Security Foundation