Suricata-update: some questions about the rules settings

Hack3rcon · October 7, 2023, 10:05am

Hello,
I have some questions about the rules settings:
1- I enabled the et/open rule and update Suricata-IDS:

# suricata-update enable-source et/open
# suricata-update

After it, I can’t see some rules like https://rules.emergingthreats.net/blockrules/ in the /usr/share/suricata/rules directory:

# ls
app-layer-events.rules	dns-events.rules    http-events.rules	   mqtt-events.rules  rfb-events.rules	 stream-events.rules
decoder-events.rules	files.rules	    ipsec-events.rules	   nfs-events.rules   smb-events.rules	 tls-events.rules
dhcp-events.rules	ftp-events.rules    kerberos-events.rules  ntp-events.rules   smtp-events.rules
dnp3-events.rules	http2-events.rules  modbus-events.rules    quic-events.rules  ssh-events.rules

2- To enable all the rules I created an enable.conf file in the /etc/suricata/ directory and wrote the following value inside it:

re: .

Does this cause all rules to be activated?

3- Activating some rules requires a secret-code, for example:

# suricata-update enable-source scwx/malware
7/10/2023 -- 02:42:12 - <Info> -- Using data-directory /var/lib/suricata.
7/10/2023 -- 02:42:12 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
7/10/2023 -- 02:42:12 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
7/10/2023 -- 02:42:12 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
The source scwx/malware requires a subscription. Subscribe here:
  https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Secureworks Threat Intelligence Authentication Token (secret-code):

Does it need to be purchased?

4- In which directory should the following rules be placed?
https://rules.emergingthreats.net/open/suricata-7.0.0/emerging.rules.tar.gz

Thank you.

bakriabbas · October 8, 2023, 5:53am

Use suricata-update list-sources to check the sources you want to add then suricata-update enable-source source_name
enable.conf will activate the rule lines in IDS/IPS
disable.conf will disable/comment the rule lines in IDS/IPS
all rules are combined in /var/lib/suricata/rules/suricata.rules

Hack3rcon · October 8, 2023, 7:11am

Hello,
Thank you so much for your reply.
1- I have done all those steps:

# suricata-update list-sources
8/10/2023 -- 02:50:58 - <Info> -- Using data-directory /var/lib/suricata.
8/10/2023 -- 02:50:58 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
8/10/2023 -- 02:50:58 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
8/10/2023 -- 02:50:58 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
...

I have already activated et/open:

# suricata-update enable-source et/open
8/10/2023 -- 02:53:03 - <Info> -- Using data-directory /var/lib/suricata.
8/10/2023 -- 02:53:03 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
8/10/2023 -- 02:53:03 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
8/10/2023 -- 02:53:03 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
8/10/2023 -- 02:53:03 - <Warning> -- The source et/open is already enabled.
8/10/2023 -- 02:53:03 - <Info> -- Source et/open enabled
#

And finally:

# suricata-update 
8/10/2023 -- 02:57:49 - <Info> -- Using data-directory /var/lib/suricata.
8/10/2023 -- 02:57:49 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
8/10/2023 -- 02:57:49 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
8/10/2023 -- 02:57:49 - <Info> -- Found Suricata version 7.0.0 at /usr/bin/suricata.
8/10/2023 -- 02:57:49 - <Info> -- Loading /etc/suricata/drop.conf.
8/10/2023 -- 02:57:49 - <Info> -- Loading /etc/suricata/suricata.yaml
8/10/2023 -- 02:57:49 - <Info> -- Disabling rules for protocol pgsql
8/10/2023 -- 02:57:49 - <Info> -- Disabling rules for protocol modbus
8/10/2023 -- 02:57:49 - <Info> -- Disabling rules for protocol dnp3
8/10/2023 -- 02:57:49 - <Info> -- Disabling rules for protocol enip
8/10/2023 -- 02:57:49 - <Info> -- Fetching https://security.etnetera.cz/feeds/etn_aggressive.rules.
 100% - 166433/166433                 
....

But I don’t see the rules in the https://rules.emergingthreats.net/blockrules/emerging-tor.rules file!!!

2- How do I enable or disable all rules at once?

bakriabbas · October 8, 2023, 8:24am

The et/open contains tor.rules not emerging-tor.rules
for enable and disable try to use wildcard
group:*

Hack3rcon · October 8, 2023, 10:09am

Hello,
As you see, I enabled the et/open, then why can’t I see the rules that existed at https://rules.emergingthreats.net/blockrules/?

How can I find the group name?

Topic		Replies	Views
Couple of questions about suricata-update suricata-update	1	157	April 9, 2024
Disable/list a suricata rules? Help rules , suricata	2	287	June 12, 2024
Enabling suricata provided ssh-events.rules Rules rules , suricata	1	150	April 25, 2024
Suricata-Update - Use Only Local Rules Rules	2	1556	July 8, 2020
Decode, stream, app-layer event rules Rules rules	5	1202	June 7, 2022

Suricata-update: some questions about the rules settings

Related Topics