Installing default Suricata 6.0.2 rules onto machine without internet access

I’d like to install the default rules included by running suricata-update on my suricata installation which does not have internet access. I am running suricata 6.0.2 which I installed from an RPM.

I have downloaded the tar containing the rules from: https://rules.emergingthreats.net/open/suricata-6.0.2/emerging.rules.tar.gz

Then, I extracted the rules from the above tar file and tried copying them into the below directories, then running suricata-update. I referenced this page GitHub - OISF/suricata-update: The tool for updating your Suricata rules. to find the directories.

• /etc/suricata/rules/
• /usr/share/suricata/rules
• /var/lib/suricata/update/cache

However, running suricata-update did not seem to add any new rules:

13/4/2021 -- 14:22:29 - <Info> -- Loaded 352 rules.

Is there a recommended way to install the default rules on a server without internet access?

In a typical install /etc/suricata/rules is not used anymore. Also /var/lib/suricata/update/cache is assumed to be controlled by suricata-update. In your case I’d try:

• Put emerging.rules.tar.gz in some known location, for the sake of example, /tmp/emerging.rules.tar.gz.
• Add this file as a source suricata-update add-source et-local file:///tmp/emerging.rules.tar.gz
• Then you should be able to run suricata-update as if you were online.
• To get new rules, copy a new file to /tmp and run suricata-update again.

That worked. Thanks, Jason.