Suricata-update add custom source

I am adding a custom source to suricata-update, it is just a test so I just have 1 file with 1 rule:

suricata-update add-source --http-header "Authorization: Basic YWRYWRYWRYWR=" ELKServer http://localhost:9595/ownserver.rules

So after this I just
suricata-update -f --fail
service start suricata
And I can actually see that the rule in ownserver.rules has been added at the end of the /var/lib/suricata/rules/suricata.rules:

alert tls any any -> any any (msg:"SURICATA TLS certificate invalid issuer"; flow:established; app-layer-event:tls.certificate_invalid_issuer; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230029; rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS certificate invalid validity"; flow:established; app-layer-event:tls.certificate_invalid_validity; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230030; rev:1;)
alert http any any -> any any (msg:"THIS IS AN OWNSERVER ALERT"; classtype:protocol-command-decode; sid:33333333; rev:1;)

But all the default suricata-update rules are still there. So the problem is, why does only the that last rule work? I mean, there are 34k rules in the file but the only alert that jumps , it is the one I added.

If I have an external local rule-file, those rules do work too, but it seems that adding the source to the suricata-update disables all the 34k rules in the main rule-file. And I have also tested that if instead of adding it with the suricata-update add-source I just edit manually suricata.rules and add the same rule at the end of the file, the other 34k rules still work.

So is this supposed to work like this, or what am I doing wrong? If is it supposed to work like this, why keep the 34k rules in the file?

If that had happened, all the 34k rules would have been prefixed with #. Do you see that happen?

That indeed sounds weird.
I just did a test just like you explained, all rules seem to be fine and picked up properly.
Do make sure that the rule path settings in your suricata.yaml point to the correct files.

No, the rules are not commented. In the post the 3 rules I show as an example are literally the copy-paste of the 3 last lines in suricata.rules file.

It is indeed weird, I just wanted to make sure that this was not intended to work like this before expending even more time looking for something that might not be wrong. It is really strange because, as far I can see, the suricata.rules file generated by suricata-update and the one I edit manually are exactly the same but one does not work. Is there any kind of special end of line that I must add in the server rule-file or something maybe? I have no clue, what am I doing wrong.

I have seen something that it might help. If i list the sources in suricata-update my server isn’t there:

root@66d6227f7f71:/# suricata-update list-sources
9/8/2023 -- 12:23:08 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 12:23:08 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 12:23:08 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 12:23:08 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: sslbl/ssl-fp-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: Non-Commercial
Name: sslbl/ja3-fingerprints
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: Non-Commercial
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3
Name: malsilo/win-malware
  Vendor: malsilo
  Summary: Commodity malware rules
  License: MIT
Name: stamus/lateral
  Vendor: Stamus Networks
  Summary: Lateral movement rules
  License: GPL-3.0-only

but if I try to add it, it says it is already there:

root@66d6227f7f71:/# suricata-update add-source --http-header "Authorization: Basic YWRYWRYWRYWR=4=" ELKServer http://172.16.238.12:9595/ownserver.rules
9/8/2023 -- 12:23:01 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 12:23:01 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 12:23:01 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 12:23:01 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
9/8/2023 -- 12:23:01 - <Error> -- A source with name ELKServer already exists.

and if I list the enabled list:

root@66d6227f7f71:/# suricata-update list-sources --enabled
9/8/2023 -- 12:27:59 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 12:27:59 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 12:27:59 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 12:27:59 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
Enabled sources:
  - ELKServer

it is the only one to appear. Although if I just list the enabled sources when I dont add my own server, it doesn’t show anything:

root@dcd61f0ac960:/# suricata-update list-sources --enabled
9/8/2023 -- 12:37:57 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 12:37:57 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 12:37:57 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 12:37:57 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
9/8/2023 -- 12:37:57 - <Warning> -- No enabled sources.

this list is indeed picked up from the standard sources that come with suricata-update. It does not seem to include manually added sources.

It seems to me that by default sources are disabled you have to enable them as you like. suricata-update creates a separate config file for each source in /var/lib/suricata/update/sources/ if /var/ was your localstatedir. So, you should see a config file here specifically for your source…

What’s questionable now is where are those 34k rules coming from if no other source is enabled. Could you please wipe out your suricata rules dir and run suricata-update again to see if it still adds all those rules?

Does suricata when all sources are disabled, by default enable them? I mean, when I dont use

I did this and it created a new suricata.rules with just 381 lines and my own server rule. So I dont really understand what is happening.

If no sources are configured, Suricata-Update will default to the et/open ruleset. If you add a ruleset, either with add-source or enable-source, only that source will be used. You can then enable the et/open source manually with the command suricata-update enable-source et/open.

This isn’t the most straightforward, and I’ve recently been thinking the default should be no rulesets enabled at all, or a better way of defaulting to et/open but not disabling it when another source is add, but instead requiring it to be disabled.

1 Like

Thank you and yes, in my opinion this can be confusing.

And just so I understand it correctly:
If et/open source is not enabled, and I add my own source, only my source will be used. I get this. But shouldn’t the et/open rules be at least commented in the suricata.rules file? Or being disabled is just enough to not use them, even if they are in the file?
And finally if et/open is disabled, where do the 380 rules come from when I use my own source? I just have 1 rule in my source but suricata.rules file has 382 lines.

If the et/open ruleset is not enabled, there should be no reference tho them in the output suricata.rules. The only time this is not true is when no ruleset is enabled, then suricata-update uses et/open by default.

The extra rules you are seeing are likely the engine provided rules like tls-events.rules, dns-events.rules. These are included by default as well, and aren’t really considered a ruleset you can enable or disable. You can disable them using disable.conf though.