I would like to take advantage of the suricata.rules that is generated with suricata-update on an internet connected machine and transfer it to an airgapped machine.
What is the best approach to accomplish this? I’m thinking using the ruleset created through suricata-update as a local.rules.
Any suggestions?
Thanks!
How would you transfer the file in general? You are quite flexible with the generated file and either rsync it, make it available via https etc.
Moving the suricata.rules to the new system isn’t the issue, I just have to use a removable media device. Let me refine the question.
Beyond putting the new file in /var/suricata/rules/ and doing a systemctl reload suricata , is there anything else I need to do?
No, there shouldn’t be. Just make sure that is where the Suricata on the airgapped system is looking for rules.
Perfect, thank you for the response Jason!
I have similar setup, just that system is accessible through internal network but cannot access internet and i have to push rules from the suricata server having internet access, what is the best way here
@ish please comment