So I was thinking that suricata could offer a sql database connection to load rules from a database. Just supply the sql connection settings to suricata.yaml file). This could save some time in organising and keeping rules in a searchable format (I also wrote an app that can store, search and edit rules, then dump them as text, so shameless plug here as well…) Anyway python’s suricata-ids idstools can parse rules files into a format easier to work with than a sets of rules files… It would also offer the ability to connect remotely to a centralised rules database for control over what happens there.
In my schema I loaded the ET ruleset into a table like this:
| id | raw | sid | message | comment | enabled | classtype | content | rev
And can search pretty accurately to check what threats are being checked (eg. trojan), but there’s no setting to allow loading these rules into suricata engine…