Rules from Suricata-update are not getting loaded

Hello everyone!

My goal is to be able to feed suricata from misp with rules and the only thing left is to figure out why rules downloaded by suricata-update are not loaded into the suricata.rules file.The misp api’s output format is like this:

# MISP export of IDS rules - optimized for 
# These NIDS rules contain some variables that need to exist in your configuration.
# Make sure you have set:
# $HOME_NET     - Your internal network range
# $EXTERNAL_NET - The network considered as outside
# $SMTP_SERVERS - All your internal SMTP servers
# $HTTP_PORTS   - The ports used to contain HTTP traffic (not required with suricata export)

Anyone had the same problem before?

What version of suricata-update are you using?
How do you run it?
Did you configure anything related to the MISP source?
Provide the output of the suricata-update run.

I’m on version 7.0.2.
I run suricata-update with the following command:
suricata-update --no-check-certificate and configured the source with this one:
suricata-update add-source --http-header " Authorization: API_KEY" mispsource https://MISP_IP/events/nids/suricata/download/MISP_EVENT_ID
On misp side there seems to be no problem the answer from the API should be ingestible by suricata.
Output of suricata-update is strange because it says it successfully fetched the rules.

29/2/2024 -- 07:41:22 - <Info> -- Checking https://misp_ip/events/nids/suricata/download/1701.md5.
29/2/2024 -- 07:41:23 - <Info> -- Fetching https://misp_ip/events/nids/suricata/download/1701.
 100% - 1182/1182
29/2/2024 -- 07:41:24 - <Info> -- Done

Current suricata-update will only look for rules in files that end in .rules, as rulesets can contain other types of files.

Are you able to change things such that you are downloading https://misp_ip/events/nids/suricata/download/1701.rules? Then it should work. We do have an open issue for this and it shouldn’t be too hard to fix:

1 Like

I have changed the URL and misp gives back the same answer as without the .rule ending, it seems like it ignores anything after the ID for some reason, anyway its working now.