Why Suricata-IDS doing it? Separate files are better.
In “suricata.rules” files, rules are distinguished from each other?
Mine is something like:
alert tcp [95.217.164.106,95.217.164.136,95.217.165.169,95.217.165.27,95.217.167.152,95.217.176.151,95.217.179.82,95.217.180.216,95.217.181.228,95.217.183.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 840"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522839; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.183.21,95.217.186.37,95.217.189.94,95.217.190.131,95.217.191.166,95.217.191.9,95.217.19.208,95.217.197.204,95.217.20.144,95.217.203.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 841"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.206.235,95.217.208.71,95.217.210.63,95.217.211.224,95.217.211.231,95.217.211.237,95.217.21.233,95.217.2.156,95.217.217.198,95.217.217.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 842"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522841; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.221.79,95.217.22.2,95.217.223.54,95.217.235.148,95.217.23.60,95.217.237.142,95.217.238.12,95.217.239.111,95.217.239.25,95.217.248.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 843"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.217.2.71,95.217.42.50,95.217.42.94,95.217.5.88,95.217.62.4,95.217.6.94,95.217.78.84,95.217.97.138,95.223.238.165,95.235.40.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 844"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522843; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.245.62.11,95.26.22.180,95.28.2.35,95.42.102.195,95.67.38.55,95.72.153.75,95.80.10.222,95.84.140.36,95.85.19.85,95.85.8.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 845"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [95.90.99.13,95.91.1.248,95.91.172.217,96.126.105.219,96.126.110.163,96.225.177.69,96.233.74.18,96.238.85.65,96.253.78.108,96.255.209.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 846"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522845; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [96.35.39.175,96.65.68.193,97.103.2.110,97.107.132.24,97.107.137.101,97.107.138.162,97.107.139.108,97.107.139.28,97.107.141.130,97.115.165.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 847"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [97.119.194.246,97.69.218.38,97.87.109.113,97.90.159.235,97.93.202.22,98.128.172.177,98.128.173.1,98.128.186.118,98.128.192.100,98.14.166.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 848"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522847; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
alert tcp [98.165.46.62,98.174.215.13,98.193.69.56,98.220.248.235,98.225.157.78,98.234.222.4,98.37.64.180,99.105.213.162,99.122.201.244,99.131.45.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 849"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:4210; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_10_06;)
...
Thus, I must create a “enable.conf” file and filled it with something:
# Example of enabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401
# Example of enabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:heartbleed
# re:MS(0[7-9]|10)-\d+
# Examples of enabling a group of rules.
# group:emerging-icmp.rules
# group:emerging-dos
# group:emerging*
Then, use “suricata-update - enable.conf” command? Can you show me an example of “enable.conf” file?