Suricata-Update - Use Only Local Rules

wchristm · July 8, 2020, 9:11am

Hello, I have what I hope may be a simple question, but I haven’t been able to answer it myself, so I’m turning to the forum.

Simply put, when using a collection of local rules files with suricata-update, how do I ensure that it does not follow the default behavior and use the ET-Open rule set even though I have disabled it?
I am crafting large sets of custom rules for our implementation and want to use suricata-update, but everytime I run it, even with the et/open entry disabled from the source list, it says “No sources configured, will use Emerging Threats Open” and proceeds to try to integrate them.

I have the relevant groups disabled, but it still throws 20k+ disabled rules into the suricata.rules file and I would prefer to avoid that.

What am I doing incorrectly?

Thank you!

ish · July 8, 2020, 2:27pm

You’re not doing anything wrong, we just haven’t made it easy to handle this use case which is something we should fix. I thought --offline would help here, but it looks like there is an issue with that option which we will fix.

For now, this workaround should get you going, and won’t break in the future. Add --url file:///dev/null. This will override the defaulting to ET/Open as a rule source.

wchristm · July 8, 2020, 2:28pm

Thank you very much for your quick reply!
That should work nicely!

Thanks!

Topic		Replies	Views
Snort Rules in Suricata 6.x in Offline Mode Help	5	474	August 17, 2023
Suricata rules - Help Help	1	305	February 22, 2021
Running Suricata default in Windows Rules	3	608	May 24, 2023
Disable download emerging.rules by default [Suricata 6.0.8] Help	2	744	October 27, 2022
Several questions on external rules Help	2	1000	December 2, 2020

Suricata-Update - Use Only Local Rules

Related topics