Hello All,
I have a Suricata instance that does not have internet access. I currently update my Suricata rules using suricata-update pointing to a local file. I would like to incorporate Snort subscriber rules as well as the SUricata ET Open rules and need some information on how to do this. Do I just update the suricata-update --local= to point to the snort file?
Also, I’m assuming only use snort 2.9 rules?
Thanks in advance!
Does any have any thoughts on this?
Checkout the enable-source command for Suricata-Update: enable-source - Enable a source — suricata-update 1.3.0 documentation
You can enable a source that is a file:// URL, so just point that to the tar of Snort rules.
Note that Snort rules are not tested by us at all, so your mileage may vary.
Thank you for the reply. Since I’m already using the file option for suricata-update to point to my off-line Suricata ET rules, will adding the path to the snort-tar.gz file overwrite the path to the ET rules, or will it add a second file location option?
Thank you again for your time!
Which file option is that?
I’d recommend doing the add-source 2x, for each of your offline rulesets… Something like:
suricata-update add-source local-etopen file:///tmp/etopen.tar.gz
suricata-update add-source local-snort file:///tmp/snort.tar.gz
Thank you again! Greatly appreciated!