Suricatac add single rule

iain · September 3, 2021, 1:10am

Does suricatac (the socket) have the ability to add / modify a single rule? I know the socket allows reloading rules, but a single rule? Would you consider any effort in updating that part of suricatac to include the addition / modification based on SID etc.

Jeff_Lucovsky · September 5, 2021, 2:08pm

Hi,
Are you asking if suricatasc can be used to add a single rule to an existing ruleset?

If so, the answer is no. What you can do is

echo "some-new-rule" >> /path/to/existing/suricata.rules
suricatasc -c ruleset-reload-rules

iain · September 6, 2021, 6:40am

Ok… wow, that’s heaps better than what I was hoping to achieve!

I was interested in the suricatac commands and building my own client as per the documentation, however the commands in there are very well developed & mature. I am a little frustrated that, of course, pcap commands have been taken out, and was there any good reason for that?

Jeff_Lucovsky · September 6, 2021, 1:05pm

Use the runmode unix-sockets if you want to use the pcap commands:

suricata --runmode=unix-socket ... and then use suricatasc

Topic		Replies	Views
Running suricata-update Help	6	1070	December 29, 2021
Issue with modifying rule more than once suricata-update Rules	4	907	January 11, 2021
Instruction to write rules on Suricata Help	7	1464	February 12, 2021
Can Suricata support multiple rule sets in one process in divert mode(one divert port for one rule set)? Developers suricata	0	287	January 18, 2023
Suricatasc error: Reload already in progress Help suricata	21	531	May 14, 2023

Suricatac add single rule

Related Topics