Hello, we here at General Electric run suricata 6.0 on about 250 devices world-wide. Currently we are pulling rules from Emerging Threats version 2.9. We want to upgrade those rules to the current highest version 5.0. Our automation now takes the ET rules, does processing on them, and distributes to all devices. Can you tell me what the impact would be if we started pulling version 5 rules and integrating them into our grid?
Hard to tell, it depends what rules you pull and the network traffic.
I would expect at least that you will need to do tuning on the rules, apply threashold to the noisy ones, disable ones with high false positives & migrate/verify custom rules to the new format.
This highly depends on what your automation does. If it checks for revisions that might be an issue since they might be a lower number in the ruleset compared to old rules.
Also some groups have changed in between.
But overall if you primarily pass them forward, there should be no issue. You will benefit from the new keywords that are used.
Just remember to update that classification file with the rules