Suricata-update add-source for previously disabled source

Help
1

When you add a source with suricata-update add-source and then disable that source, there is no way to re-enable it without getting an error.

    $ sudo suricata-update add-source abuse.ch-URLhaus-IDS https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz 
    $ ls -la ./sources/
    -rw-r--r-- 1 root root  108 Jul 24 18:03 abuse.ch-URLhaus-IDS.yaml

    $ sudo suricata-update disable-source abuse.ch-URLhaus-IDS
    <Info> -- Source abuse.ch-URLhaus-IDS has been disabled
    $ ls -la ./sources/
    -rw-r--r-- 1 root root  108 Jul 24 18:03 abuse.ch-URLhaus-IDS.yaml.disabled

    $ sudo suricata-update add-source abuse.ch-URLhaus-IDS https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz 
    <Error> -- A source with name abuse.ch-URLhaus-IDS already exists.

    $ sudo suricata-update enable-source abuse.ch-URLhaus-IDS
    <Info> -- Re-enabling previously disabled source for abuse.ch-URLhaus-IDS.
    <Error> -- Unknown source: abuse.ch-URLhaus-IDS
2

Hi @James_Lagermann!
Welcome to to our forum. I checked what you have mentioned. It is indeed happening and is not the correct behavior. Do you mind opening a redmine ticket for this? The content you have posted here works for the redmine too.
We are looking into it and shall get it fixed soon.
Thank you very much!

3

I’ll open a ticket this morning (as soon as I figure out how to).

4

Thanks James. Send a dm if you need assistance.

5

Hi, Was this ever fixed? As well as issue noted by OP, it seems list-sources doesn’t list sources added via add-source.
This is on version 1.1.0 (rev: 63493db), the version pip3 installs (the dummy source at the end is an override of env variable SOURCE_INDEX_URL):

[root@corelight]# suricata-update add-source foo https://bar.com/baz.rules.tar.gz --suricata-conf=/var/corelight/suricata/.suricata.yaml --suricata=/usr/bin/corelight-suricata -D /etc/corelight/suricata-update -v
12/5/2021 -- 15:44:16 - <Debug> -- This is suricata-update version 1.1.0 (rev: 63493db); Python: 3.6.8 (default, Aug 13 2020, 07:46:32) - [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value subcommand -> add-source
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value verbose -> True
12/5/2021 -- 15:44:16 - <Debug> -- Setting data directory to /etc/corelight/suricata-update
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value suricata-conf -> /var/corelight/suricata/.suricata.yaml
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value suricata -> /usr/bin/corelight-suricata
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value version -> False
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value name -> foo
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value url -> https://bar.com/baz.rules.tar.gz
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value no-checksum -> True
12/5/2021 -- 15:44:16 - <Debug> -- Setting configuration value func -> <function add_source at 0x7f071bddd730>
12/5/2021 -- 15:44:16 - <Info> -- Found Suricata version 5.0.3-corelight at /usr/bin/corelight-suricata.
[root@corelight]# suricata-update disable-source foo --suricata-conf=/var/corelight/suricata/.suricata.yaml --suricata=/usr/bin/corelight-suricata -D /etc/corelight/suricata-update -v
12/5/2021 -- 15:44:40 - <Debug> -- This is suricata-update version 1.1.0 (rev: 63493db); Python: 3.6.8 (default, Aug 13 2020, 07:46:32) - [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
12/5/2021 -- 15:44:40 - <Debug> -- Setting configuration value subcommand -> disable-source
12/5/2021 -- 15:44:40 - <Debug> -- Setting configuration value verbose -> True
12/5/2021 -- 15:44:40 - <Debug> -- Setting data directory to /etc/corelight/suricata-update
12/5/2021 -- 15:44:40 - <Debug> -- Setting configuration value suricata-conf -> /var/corelight/suricata/.suricata.yaml
12/5/2021 -- 15:44:40 - <Debug> -- Setting configuration value suricata -> /usr/bin/corelight-suricata
12/5/2021 -- 15:44:40 - <Debug> -- Setting configuration value version -> False
12/5/2021 -- 15:44:40 - <Debug> -- Setting configuration value name -> foo
12/5/2021 -- 15:44:40 - <Debug> -- Setting configuration value func -> <function disable_source at 0x7f2da1a4ce18>
12/5/2021 -- 15:44:40 - <Info> -- Found Suricata version 5.0.3-corelight at /usr/bin/corelight-suricata.
12/5/2021 -- 15:44:40 - <Debug> -- Renaming /etc/corelight/suricata-update/update/sources/foo.yaml to /etc/corelight/suricata-update/update/sources/foo.yaml.disabled.
12/5/2021 -- 15:44:40 - <Info> -- Source foo has been disabled
[root@corelight]# suricata-update add-source foo https://bar.com/baz.rules.tar.gz --suricata-conf=/var/corelight/suricata/.suricata.yaml --suricata=/usr/bin/corelight-suricata -D /etc/corelight/suricata-update -v
12/5/2021 -- 15:45:06 - <Debug> -- This is suricata-update version 1.1.0 (rev: 63493db); Python: 3.6.8 (default, Aug 13 2020, 07:46:32) - [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value subcommand -> add-source
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value verbose -> True
12/5/2021 -- 15:45:06 - <Debug> -- Setting data directory to /etc/corelight/suricata-update
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value suricata-conf -> /var/corelight/suricata/.suricata.yaml
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value suricata -> /usr/bin/corelight-suricata
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value version -> False
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value name -> foo
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value url -> https://bar.com/baz.rules.tar.gz
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value no-checksum -> True
12/5/2021 -- 15:45:06 - <Debug> -- Setting configuration value func -> <function add_source at 0x7fd5fe5f4730>
12/5/2021 -- 15:45:06 - <Info> -- Found Suricata version 5.0.3-corelight at /usr/bin/corelight-suricata.
12/5/2021 -- 15:45:06 - <Error> -- A source with name foo already exists.
[root@corelight]# suricata-update enable-source foo --suricata-conf=/var/corelight/suricata/.suricata.yaml --suricata=/usr/bin/corelight-suricata -D /etc/corelight/suricata-update -v
12/5/2021 -- 15:45:13 - <Debug> -- This is suricata-update version 1.1.0 (rev: 63493db); Python: 3.6.8 (default, Aug 13 2020, 07:46:32) - [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
12/5/2021 -- 15:45:13 - <Debug> -- Setting configuration value subcommand -> enable-source
12/5/2021 -- 15:45:13 - <Debug> -- Setting configuration value verbose -> True
12/5/2021 -- 15:45:13 - <Debug> -- Setting data directory to /etc/corelight/suricata-update
12/5/2021 -- 15:45:13 - <Debug> -- Setting configuration value suricata-conf -> /var/corelight/suricata/.suricata.yaml
12/5/2021 -- 15:45:13 - <Debug> -- Setting configuration value suricata -> /usr/bin/corelight-suricata
12/5/2021 -- 15:45:13 - <Debug> -- Setting configuration value version -> False
12/5/2021 -- 15:45:13 - <Debug> -- Setting configuration value name -> foo
12/5/2021 -- 15:45:13 - <Debug> -- Setting configuration value params -> []
12/5/2021 -- 15:45:13 - <Debug> -- Setting configuration value func -> <function enable_source at 0x7fc0e03debf8>
12/5/2021 -- 15:45:13 - <Info> -- Found Suricata version 5.0.3-corelight at /usr/bin/corelight-suricata.
12/5/2021 -- 15:45:13 - <Info> -- Re-enabling previously disabled source for foo.
12/5/2021 -- 15:45:13 - <Error> -- Unknown source: foo
[root@corelight]# suricata-update list-sources --suricata-conf=/var/corelight/suricata/.suricata.yaml --suricata=/usr/bin/corelight-suricata -D /etc/corelight/suricata-update -v
12/5/2021 -- 15:45:26 - <Debug> -- This is suricata-update version 1.1.0 (rev: 63493db); Python: 3.6.8 (default, Aug 13 2020, 07:46:32) - [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
12/5/2021 -- 15:45:26 - <Debug> -- Setting configuration value subcommand -> list-sources
12/5/2021 -- 15:45:26 - <Debug> -- Setting configuration value verbose -> True
12/5/2021 -- 15:45:26 - <Debug> -- Setting data directory to /etc/corelight/suricata-update
12/5/2021 -- 15:45:26 - <Debug> -- Setting configuration value suricata-conf -> /var/corelight/suricata/.suricata.yaml
12/5/2021 -- 15:45:26 - <Debug> -- Setting configuration value suricata -> /usr/bin/corelight-suricata
12/5/2021 -- 15:45:26 - <Debug> -- Setting configuration value version -> False
12/5/2021 -- 15:45:26 - <Debug> -- Setting configuration value free -> False
12/5/2021 -- 15:45:26 - <Debug> -- Setting configuration value func -> <function list_sources at 0x7f31ac5b1a60>
12/5/2021 -- 15:45:26 - <Info> -- Found Suricata version 5.0.3-corelight at /usr/bin/corelight-suricata.
Name: foobar
  Vendor: Am I vendor
  Summary: Who am I
  License: MIT
6

I’ve uploaded 1.2.1 to PyPI so a pip install should get that one. The issue in the OP is fixed, however, added sources will still not be shown in list-sources, as that is primarily a command for viewing the index. However, this is a good feature idea since you can add a source, and disable it without actually removing it, so listing “local” sources would be very useful. I’ve created a ticket for this:

https://redmine.openinfosecfoundation.org/issues/4481

By the way, this looks like its running on a Corelight box. You should ask them to bundle Suricata-Update with Suricata. Suricata releases ship with the best version of Suricata-Update for that release and its aware of all the paths of the Suricata it was installed with. Makes for an overall much better user experience.

7

Oh wow. Thanks for the speedy reply and updating PyPI!
1.2.1 does indeed fix the aforementioned bug.