Question about suricata-update


Is there any change to use suricata-update but download all the rules in separate files (instead of suricata.rules file)?

While not recommended, there is the --no-merge option which will write out the files to their original names.


Why it is not recommended? It should work the exact same, right?

For me, I think that having on separate files is more practical in terms of organize and filter what rules to use :slight_smile:

If you split them out to multiple files you’ll have to make sure to include what you want in your suricata.yaml, if using the default you just include suricata.rules. This is probably the main one, I prefer to manage my rules in one place.

I suppose its also possible for a rule to depends on the flowbits being set in a rule from a different file. If you decide to not include one rule file, you may unintentionally be disabling a rule. Note that I haven’t checked if rule vendors, do this, but its a non-issue if using the merged output.

If 2 rule sources that you use happen to have duplicated filenames, but with different content, one will overwrite the other in the non-merged output. This is another non-issue in the merged output.

I understand that. But maybe if the suricata.rules file was divided by groups of rules would be much easier. I think the rules are all merged together, and search through thousands of rules is a pain hahahah :slight_smile: