Suricata loads a lot of rules by default and I want that to stop happening.
My goal is to run suricata with rules explicitly provided by me and nothing else.
Thanks in advance!
Suricata loads a lot of rules by default and I want that to stop happening.
My goal is to run suricata with rules explicitly provided by me and nothing else.
Thanks in advance!
The easiest way would be to look for this in your configuration file:
rule-files:
- suricata.rules
and only list your own rule files.
What if I want to use suricata-update and provide rules from there.
My problem is that suricata-update not only fetches the rules which I specified but also loads these event rules seen below:
15/3/2024 -- 12:35:42 - <Info> -- No sources configured, will use Emerging Threats Open
15/3/2024 -- 12:35:42 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-7.0.2/emerging.rules.tar.gz.md5 .
15/3/2024 -- 12:35:43 - <Info> -- Remote checksum has not changed. Not fetching.
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
15/3/2024 -- 12:35:43 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
If you only want your rule file and don’t want suricata-update
to fetch rules from other sources, you can use the disable-sources
command of suricata-update
– use suricata-update --help
to get started.