Sync between multiple suricatas

n00bsteam · March 18, 2021, 12:14pm

Hi everyone!

I need an advice, how i can sync suricate rules, include suppressions and trashholds, between multiple suricatas install?

Thx community for u hard and great work!

Jeff_Lucovsky · March 18, 2021, 1:26pm

One way is to manage rules and threshold.config on a system separate from the suricata instances and then distribute the rules/config file to each instance.

There are other ways, of course, but this is a straightforward way.

n00bsteam · March 18, 2021, 1:35pm

I have already try this way, but after actions->build and push threshold.config back to previous version(

n00bsteam · March 18, 2021, 1:41pm

What about other ways?

Jeff_Lucovsky · March 18, 2021, 1:43pm

Could you explain that process more?

n00bsteam · March 18, 2021, 2:15pm

Sure, at first config sources at all IDS (i use Scirius CE, if it important), update all rulse, then go to suricata->ruleset actions->build&push, after copy from IDS-1 /etc/suricata/rules/ two files: threshold.config and scirius.rules to another IDS and same action “go to suricata->ruleset actions->build&push”.

What i do wrong?

Jeff_Lucovsky · March 19, 2021, 3:25pm

There’s nothing wrong with this approach – thanks for the additional context.

n00bsteam · March 19, 2021, 4:55pm

But it doesn’t work(

Jeff_Lucovsky · March 20, 2021, 12:24pm

Could you open an issue here? Issues · StamusNetworks/scirius · GitHub

n00bsteam · March 21, 2021, 10:50am

Done. Sync suricata srules\thresholds\suppressions between multiple Scirius install · Issue #225 · StamusNetworks/scirius · GitHub

Topic		Replies	Views
Question about suricata-update Help suricata-update	4	406	March 15, 2021
Truing up deleted rules with threshold file	14	308	June 8, 2023
Tool to manage rules Rules	4	430	February 2, 2021
Suricata suppress rule error Help rules , suricata	2	231	July 25, 2023
Disable rules by SID not working	5	96	March 15, 2024

Sync between multiple suricatas

Related Topics