Couple of questions about suricata-update


In implementation of suricata-update I see following two things which I have question about:

  1. If I don’t enable any source, I get following message “No sources configured, will use Emerging Threats Open”. Why is that?
  2. In “def load_dist_rules(files)”, I see following code:

    # In the future hopefully we can just pull in all files from
    # /usr/share/suricata/rules, but for now pull in the set of files
    # known to have been provided by the Suricata source.
    filenames = [

The downside of this code is, even if I enable mqtt and ssh, suricata provided rule files, /usr/share/suricata/rules/ssh-events.rules and /usr/share/suricata/rules/mqtt-events.rules respectively, won’t get loaded.

Why is the implementation does not consider mqtt and ssh distribution provided rule files?

Thanks in advance!

  1. Prior to Suricata-Update, Suricata defaulted to using the ET/open ruleset via curl or wget. This more or less keeps that behavior of supplying the user with an ET/open ruleset when no other rules have been configured.

  2. Sorry, that’s an issue, I created a ticket: Bug #6932: missing engine rules: ssh, mqtt - Suricata-Update - Open Information Security Foundation