Suricata-Update - Use Only Local Rules

Hello, I have what I hope may be a simple question, but I haven’t been able to answer it myself, so I’m turning to the forum.

Simply put, when using a collection of local rules files with suricata-update, how do I ensure that it does not follow the default behavior and use the ET-Open rule set even though I have disabled it?
I am crafting large sets of custom rules for our implementation and want to use suricata-update, but everytime I run it, even with the et/open entry disabled from the source list, it says “No sources configured, will use Emerging Threats Open” and proceeds to try to integrate them.

I have the relevant groups disabled, but it still throws 20k+ disabled rules into the suricata.rules file and I would prefer to avoid that.

What am I doing incorrectly?

Thank you!

You’re not doing anything wrong, we just haven’t made it easy to handle this use case which is something we should fix. I thought --offline would help here, but it looks like there is an issue with that option which we will fix.

For now, this workaround should get you going, and won’t break in the future. Add --url file:///dev/null. This will override the defaulting to ET/Open as a rule source.


Thank you very much for your quick reply!
That should work nicely!