I have seen something that it might help. If i list the sources in suricata-update my server isn’t there:
root@66d6227f7f71:/# suricata-update list-sources
9/8/2023 -- 12:23:08 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 12:23:08 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 12:23:08 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 12:23:08 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
Name: et/open
Vendor: Proofpoint
Summary: Emerging Threats Open Ruleset
License: MIT
Name: et/pro
Vendor: Proofpoint
Summary: Emerging Threats Pro Ruleset
License: Commercial
Replaces: et/open
Parameters: secret-code
Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: oisf/trafficid
Vendor: OISF
Summary: Suricata Traffic ID ruleset
License: MIT
Name: scwx/enhanced
Vendor: Secureworks
Summary: Secureworks suricata-enhanced ruleset
License: Commercial
Parameters: secret-code
Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
Vendor: Secureworks
Summary: Secureworks suricata-malware ruleset
License: Commercial
Parameters: secret-code
Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
Vendor: Secureworks
Summary: Secureworks suricata-security ruleset
License: Commercial
Parameters: secret-code
Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: sslbl/ssl-fp-blacklist
Vendor: Abuse.ch
Summary: Abuse.ch SSL Blacklist
License: Non-Commercial
Name: sslbl/ja3-fingerprints
Vendor: Abuse.ch
Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
License: Non-Commercial
Name: etnetera/aggressive
Vendor: Etnetera a.s.
Summary: Etnetera aggressive IP blacklist
License: MIT
Name: tgreen/hunting
Vendor: tgreen
Summary: Threat hunting rules
License: GPLv3
Name: malsilo/win-malware
Vendor: malsilo
Summary: Commodity malware rules
License: MIT
Name: stamus/lateral
Vendor: Stamus Networks
Summary: Lateral movement rules
License: GPL-3.0-only
but if I try to add it, it says it is already there:
root@66d6227f7f71:/# suricata-update add-source --http-header "Authorization: Basic YWRYWRYWRYWR=4=" ELKServer http://172.16.238.12:9595/ownserver.rules
9/8/2023 -- 12:23:01 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 12:23:01 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 12:23:01 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 12:23:01 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
9/8/2023 -- 12:23:01 - <Error> -- A source with name ELKServer already exists.
and if I list the enabled list:
root@66d6227f7f71:/# suricata-update list-sources --enabled
9/8/2023 -- 12:27:59 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 12:27:59 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 12:27:59 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 12:27:59 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
Enabled sources:
- ELKServer
it is the only one to appear. Although if I just list the enabled sources when I dont add my own server, it doesn’t show anything:
root@dcd61f0ac960:/# suricata-update list-sources --enabled
9/8/2023 -- 12:37:57 - <Info> -- Using data-directory /var/lib/suricata.
9/8/2023 -- 12:37:57 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/8/2023 -- 12:37:57 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/8/2023 -- 12:37:57 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
9/8/2023 -- 12:37:57 - <Warning> -- No enabled sources.