Unable to enable additional rulesets, always defaults to Emerging Threats Open

unknown · July 2, 2025, 7:27pm

Hello everyone!
I am trying to enable an additional ruleset using suricata-update as described in the documentation. For instancse, following the official guide to enable the OISF TrafficID ruleset I am running the following commands:

sudo suricata-update update-sources
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update

However, when I run suricata-update, I get the message:

No sources configured, will use Emerging Threats Open

And it only loads rules from Emerging Threats Open, ignoring the one I tried to enable.

I verified the enabled sources using:

suricata-update list-sources --enabled

and the oisf/trafficid appears in the list.

Environment details:

Suricata version: 7.0.10

suricata-update version: 1.3.4

Operating system: Ubuntu Server 24.04 LTS

Suricata was installed from repository ppa:oisf/suricata-stable

Am I missing something? How can I properly enable and load additional rule sources?

Also, does anyone know of any community-maintained rulesets for services like Ruby on Rails, Ingress-NGINX, PostgreSQL, and Grafana?

Thanks in advance!

Andreas_Herz · July 17, 2025, 8:50pm

Could it be that it is related to the fact that you run some of the commands with sudo and some without?

unknown · July 23, 2025, 6:53pm

I don’t belive this is the reason, since I am runing all command as root.
However, I found a workaround (leaving it here in case someone else runs into the same issue):

Download the Suricata rule sources file:

curl -O https://www.openinfosecfoundation.org/rules/index.yaml

In this YAML file, look for the url: fields - these are the URLs from which rule sets are downloaded

Then create the file /etc/suricata/update.yaml with permissions 644 and ownership root:root.

sudo touch /etc/suricata/update.yaml
sudo chmod 644 /etc/suricata/update.yaml
sudo chown root:root /etc/suricata/update.yaml

Add the URLs from index.yaml file to this file:

sources:
  # Emerging Threats Open with the Suricata version dynamically replaced.
  - https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz
  # The SSL blacklist, which is just a standalone rule file.
  - https://sslbl.abuse.ch/blacklist/sslblacklist.rules

The link to the documentation

After that you can run suricata-update. It should now recognize and fetch the new rule sources properly

Thank you!

jonny5 · July 23, 2025, 7:30pm

There are several ‘suricata-update’ files that help it work, here’s a repo where I share some of the configs I use

To have suricata-update create the ‘template config’ files:

suricata-update --dump-sample-configs

Afterwards I suggest editing the sample configs to meet your needs