Several questions on external rules

Hi all,
I’m new to Suricata (and IDS in general) and I just installed the version 6 on Ubuntu by the official PPA.

Before go deep to write my own rules, I would like to learn better how to integrate the available ones.

  1. The first thing I did was to run the standard commands to update/listing rules and sources (suricata-update, update-sources and list-sources) and I found several sources/rules integrated in Suricata, but some of them request a subscription or are available for non-commercial use only.
    Where can I find other free sources to integrate in suricata?

  2. I found this website: https://rules.emergingthreats.net/open/suricata-5.0/rules/ (it’s for Suricata 5 but it states Suricata 6 can use the same rules).
    I think it is the “official” Emerging Threats rule server but I’m pretty sure not every rule is included in my list source (using wc -l on suricata.rules I have only 23k lines when those files in total are over 63k lines).
    I tried to downloaded and include these rules on my suricata.yaml too, but some of them are duplicated.
    How can I check what is included and what is not?
    Is it safe to download and include them (these ones and in general other rules)?

  3. (Maybe a stupid question) I know it depends from hardware and network traffic but how many rules can be loaded into Suricata before it becomes overwhelmed, 10K, 50K, 100K?
    I mean, can I include every rules without problem or is it better to have several Suricata instance and each one manage a specific group of rules?

Thanks,
Karim

The list-sources command will list the ones we know about and are in a format that works with Suricata-Update. You’d have to search to find others. Sometimes blogs/twitter post rules that are in GitHub repos and what not.

I’m going to bet a good chunk of those rules are in the deleted.rules file, which we don’t include in the Suricata-Update output by default. If you want to include those rules, you could pass the --no-ignore command line option. But there is usually a reason they were “deleted”.

Experience will vary. I here lots of OK results with 50k rules. Getting over 100K is where I usually here things going wrong. But it only takes 1 bad rule to cause big issues.

1 Like

We (ET) have the deleted.rules file as well as many disabled rules that are commented out in their corresponding rule files. Deleted rules we usually don’t recommend their use while disabled rules are usually things that are old (from our vantage point) and/or have more of a performance hit than we would like to see in the default enabled set.

1 Like