Unable to enable additional rulesets, always defaults to Emerging Threats Open

Hello everyone!
I am trying to enable an additional ruleset using suricata-update as described in the documentation. For instancse, following the official guide to enable the OISF TrafficID ruleset I am running the following commands:

sudo suricata-update update-sources
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update

However, when I run suricata-update, I get the message:

No sources configured, will use Emerging Threats Open

And it only loads rules from Emerging Threats Open, ignoring the one I tried to enable.

I verified the enabled sources using:

suricata-update list-sources --enabled

and the oisf/trafficid appears in the list.

Environment details:

  • Suricata version: 7.0.10
  • suricata-update version: 1.3.4
  • Operating system: Ubuntu Server 24.04 LTS
  • Suricata was installed from repository ppa:oisf/suricata-stable

Am I missing something? How can I properly enable and load additional rule sources?

Also, does anyone know of any community-maintained rulesets for services like Ruby on Rails, Ingress-NGINX, PostgreSQL, and Grafana?

Thanks in advance!

Could it be that it is related to the fact that you run some of the commands with sudo and some without?

I don’t belive this is the reason, since I am runing all command as root.
However, I found a workaround (leaving it here in case someone else runs into the same issue):

  1. Download the Suricata rule sources file:
curl -O https://www.openinfosecfoundation.org/rules/index.yaml

In this YAML file, look for the url: fields - these are the URLs from which rule sets are downloaded

  1. Then create the file /etc/suricata/update.yaml with permissions 644 and ownership root:root.
sudo touch /etc/suricata/update.yaml
sudo chmod 644 /etc/suricata/update.yaml
sudo chown root:root /etc/suricata/update.yaml
  1. Add the URLs from index.yaml file to this file:
sources:
  # Emerging Threats Open with the Suricata version dynamically replaced.
  - https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz
  # The SSL blacklist, which is just a standalone rule file.
  - https://sslbl.abuse.ch/blacklist/sslblacklist.rules

The link to the documentation

  1. After that you can run suricata-update. It should now recognize and fetch the new rule sources properly

Thank you!

There are several ‘suricata-update’ files that help it work, here’s a repo where I share some of the configs I use

To have suricata-update create the ‘template config’ files:

suricata-update --dump-sample-configs

Afterwards I suggest editing the sample configs to meet your needs