So after this I just suricata-update -f --fail service start suricata
And I can actually see that the rule in ownserver.rules has been added at the end of the /var/lib/suricata/rules/suricata.rules:
alert tls any any -> any any (msg:"SURICATA TLS certificate invalid issuer"; flow:established; app-layer-event:tls.certificate_invalid_issuer; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230029; rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate invalid validity"; flow:established; app-layer-event:tls.certificate_invalid_validity; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230030; rev:1;)
alert http any any -> any any (msg:"THIS IS AN OWNSERVER ALERT"; classtype:protocol-command-decode; sid:33333333; rev:1;)
But all the default suricata-update rules are still there. So the problem is, why does only the that last rule work? I mean, there are 34k rules in the file but the only alert that jumps , it is the one I added.
If I have an external local rule-file, those rules do work too, but it seems that adding the source to the suricata-update disables all the 34k rules in the main rule-file. And I have also tested that if instead of adding it with the suricata-update add-source I just edit manually suricata.rules and add the same rule at the end of the file, the other 34k rules still work.
So is this supposed to work like this, or what am I doing wrong? If is it supposed to work like this, why keep the 34k rules in the file?
If that had happened, all the 34k rules would have been prefixed with #. Do you see that happen?
That indeed sounds weird.
I just did a test just like you explained, all rules seem to be fine and picked up properly.
Do make sure that the rule path settings in your suricata.yaml point to the correct files.
No, the rules are not commented. In the post the 3 rules I show as an example are literally the copy-paste of the 3 last lines in suricata.rules file.
It is indeed weird, I just wanted to make sure that this was not intended to work like this before expending even more time looking for something that might not be wrong. It is really strange because, as far I can see, the suricata.rules file generated by suricata-update and the one I edit manually are exactly the same but one does not work. Is there any kind of special end of line that I must add in the server rule-file or something maybe? I have no clue, what am I doing wrong.
this list is indeed picked up from the standard sources that come with suricata-update. It does not seem to include manually added sources.
It seems to me that by default sources are disabled you have to enable them as you like. suricata-update creates a separate config file for each source in /var/lib/suricata/update/sources/ if /var/ was your localstatedir. So, you should see a config file here specifically for your source…
What’s questionable now is where are those 34k rules coming from if no other source is enabled. Could you please wipe out your suricata rules dir and run suricata-update again to see if it still adds all those rules?
If no sources are configured, Suricata-Update will default to the et/open ruleset. If you add a ruleset, either with add-source or enable-source, only that source will be used. You can then enable the et/open source manually with the command suricata-update enable-source et/open.
This isn’t the most straightforward, and I’ve recently been thinking the default should be no rulesets enabled at all, or a better way of defaulting to et/open but not disabling it when another source is add, but instead requiring it to be disabled.
Thank you and yes, in my opinion this can be confusing.
And just so I understand it correctly:
If et/open source is not enabled, and I add my own source, only my source will be used. I get this. But shouldn’t the et/open rules be at least commented in the suricata.rules file? Or being disabled is just enough to not use them, even if they are in the file?
And finally if et/open is disabled, where do the 380 rules come from when I use my own source? I just have 1 rule in my source but suricata.rules file has 382 lines.
If the et/open ruleset is not enabled, there should be no reference tho them in the output suricata.rules. The only time this is not true is when no ruleset is enabled, then suricata-update uses et/open by default.
The extra rules you are seeing are likely the engine provided rules like tls-events.rules, dns-events.rules. These are included by default as well, and aren’t really considered a ruleset you can enable or disable. You can disable them using disable.conf though.